« Installation VPS » : différence entre les versions
(→Monitoring et backup : Ajout des différents suivis) |
|||
| Ligne 488 : | Ligne 488 : | ||
usermod -g www tony | usermod -g www tony | ||
</poem> | |||
=== Monitoring === | |||
<poem> | |||
http://munin-monitoring.org/wiki/Debugging_Munin_plugins | |||
http://wiki.queret.net/docs/monitoring/munin#postfix | |||
https://github.com/rtucker/munin-lighttpd/blob/master/lighttpd_ | |||
http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModStatus | |||
http://munin-monitoring.org/ticket/869 | |||
</poem> | </poem> | ||
Version du 17 mai 2012 à 10:13
Installation
Configurer le sous domaine vers l'IP dans l'admin OVH
Config de base
Compte Root, user et SSH
Modifier le mot de passe root ayant été envoyé par mail
passwd root
Créer un user de base pour la connexion ssh
adduser nouveauuser
aptitude install sudo visudo
ajouter nouveuuser dans la liste des sudoers
Ajouter la clé publique pour la future connexion ssh de l'utilisateur
su nouveauuser
Clé publique à déposer dans :
~/.ssh/authorized_keys
Modifier la configuration SSH vi /etc/ssh/sshd_config
Port 10000 # Changer le port par défaut PermitRootLogin no # Ne pas permettre de login en root Protocol 2 # Protocole v2 #AllowUsers nouveauuser # N'autoriser qu'un utilisateur PubkeyAuthentication yes # Autoriser uniquement l'authentification par clé #PasswordAuthentication no # Refuser l'authentification par mot de passe - N'activer qu'après avoir confirmé connexion par clé.
Redémarrer le service SSH après ces modifications :
/etc/init.d/ssh restart
Configuration des locales ainsi que du fuseau horaire
dpkg-reconfigure locales dpkg-reconfigure tzdata
Mettre a jour le system et reboot
aptitude update && aptitude full-upgrade
Configuration réseau
vi /etc/hostname et indiquer le reverse configuré chez OVH
vi /etc/hosts
127.0.0.1 localhost xx.x.xxx.xxx truc.machin.com truc
vi /etc/resolv.conf
nameserver ip_serveur_maitre nameserver ip_serveur_dns_2
Ne pas répondre aux ping broadcast
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Désactiver le routage de paquets d'origine interne (a tester si ne pose pas de pb avec les VM)
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
Refuser les messages de réponse icmp invalides
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
Redémarrer le reseau
/etc/init.d/networking restart
Vérifications
hostname -f
doit retourner le FQDN soit truc.machin.com
hostname -s
doit retourner le nom court, soit openvz
hostname -d
doit retourner le domaine, soit machin.com
hostname -i
retourne l'adresse IP
Firewall
Modifier le fichier sysctl.conf afin de permettre le forwarding ipv4 :(ne devrait pas etre nécéssaire)
Consulter /etc/network/interfaces et voir quelles interfaces sont établies par défaut par OVH.
vi /etc/init.d/firewall
#!/bin/bash ### BEGIN INIT INFO # Provides: Firewall # Required-Start: # Required-Stop: # Should-Start: # Should-Stop: # X-Start-Before: # X-Stop-After: # Default-Start: # Default-Stop: # X-Interactive: true # Short-Description: VPS Firewall # Description: ### END INIT INFO # VPS Firewall script # Copyright (C) 2011, James Carnegie me@kipz.org # This program may be freely redistributed under the terms of the GNU GPL # External interface name here EXTIF="venet0" # VPS main IP here EXTIP="37.59.224.169" # Your DNS server NSIP="213.186.33.99" # Flush iptables iptables -F # Setting default filter policy DROP all iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Allow unlinited traffic on both lo and $EXTIF iptables -A INPUT -i $EXTIF -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -o $EXTIF -d 127.0.0.1 -j ACCEPT # Allow loop back to speak to loop back iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT # Block weird some stuff iptables -A INPUT -s $EXTIP -j DROP iptables -A OUTPUT -d $EXTIP -j DROP # Stop floods iptables -N flood iptables -A INPUT -p tcp --syn -j flood iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A flood -j DROP # Drop all incoming fragments iptables -A INPUT -f -j DROP # Drop all incoming malformed XMAS packets iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Drop all incoming malformed NULL packets iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Bad incoming source ip address 0.0.0.0/8 iptables -A INPUT -s 0.0.0.0/8 -j DROP # Bad incoming source ip address 127.0.0.0/8 iptables -A INPUT -s 127.0.0.0/8 -j DROP # Bad incoming source ip address 10.0.0.0/8 iptables -A INPUT -s 10.0.0.0/8 -j DROP # Bad incoming source ip address 172.16.0.0/12 iptables -A INPUT -s 172.16.0.0/12 -j DROP # Bad incoming source ip address 192.168.0.0/16 iptables -A INPUT -s 192.168.0.0/16 -j DROP # Bad incoming source ip address 224.0.0.0/3 iptables -A INPUT -s 224.0.0.0/3 -j DROP # Incoming HTTP/HTTPS iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $EXTIP --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp -s $EXTIP --sport 80 -d 0/0 --dport 1024:65535 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $EXTIP --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp -s $EXTIP --sport 443 -d 0/0 --dport 1024:65535 -j ACCEPT # Incoming SMTP #iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $EXTIP --dport 25 -j ACCEPT #iptables -A OUTPUT -p tcp -s $EXTIP --sport 25 -d 0/0 --dport 1024:65535 -j ACCEPT # Incoming SSH iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d $EXTIP --dport 10000 -j ACCEPT iptables -A OUTPUT -p tcp -s $EXTIP --sport 10000 -d 0/0 --dport 513:65535 -j ACCEPT # Outgoing DNS iptables -A OUTPUT -p udp -s $EXTIP --sport 1024:65535 -d $NSIP --dport 53 -j ACCEPT iptables -A INPUT -p udp -s $NSIP --sport 53 -d $EXTIP --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp -s $EXTIP --sport 1024:65535 -d $NSIP --dport 53 -j ACCEPT iptables -A INPUT -p tcp -s $NSIP --sport 53 -d $EXTIP --dport 1024:65535 -j ACCEPT # Outgoing ICMP iptables -A OUTPUT -p icmp -s $EXTIP -d 0/0 -j ACCEPT iptables -A INPUT -p icmp -s 0/0 -d $EXTIP -j ACCEPT # Outgoing traceroute iptables -A OUTPUT -p udp -s $EXTIP --sport 1024:65535 -d 0/0 --dport 33434:33523 -j ACCEPT # Outgoing SMTP #iptables -A OUTPUT -p tcp -s $EXTIP --sport 1024:65535 -d 0/0 --dport 25 -j ACCEPT #iptables -A INPUT -p tcp -s 0/0 --sport 25 -d $EXTIP --dport 1024:65535 -j ACCEPT # Outgoing SSH #iptables -A OUTPUT -p tcp -s $EXTIP --sport 513:65535 -d 0/0 --dport 22 -j ACCEPT #iptables -A INPUT -p tcp -s 0/0 --sport 22 -d $EXTIP --dport 513:65535 -j ACCEPT # outgoing HTTP/HTTPS iptables -A OUTPUT -p tcp -s $EXTIP --sport 1024:65535 -d 0/0 --dport 80 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 80 -d $EXTIP --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp -s $EXTIP --sport 1024:65535 -d 0/0 --dport 443 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 443 -d $EXTIP --dport 1024:65535 -j ACCEPT # Drop everything else iptables -A INPUT -s 0/0 -j DROP iptables -A OUTPUT -d 0/0 -j DROP
chmod +x /etc/init.d/firewall
En cas d'erreur, redémarrer le serveur
Afin de l'ajouter aux scripts appelés au démarrage :
update-rc.d firewall defaults
Pour le retirer, utiliser la commande suivante :
update-rc.d -f firewall remove
/etc/init.d/firewall pour activer le filtrage.
Applications
Synchro du temps
Applis
aptitude install fail2ban rkhunter
Configuration pound
## redirect all requests on port 8080 ("ListenHTTP") to the local webserver (see "Service" below):
ListenHTTP
Address 91.121.173.80
Port 80
# my services definition
Service
HeadRequire "Host:.*www.domaine.net.*"
BackEnd
Address vz-opensso
Port 8180
End
End
Service
HeadRequire "Host:.*abcd.domaine.net.*"
BackEnd
Address vz-pouet
Port 81
End
End
End
Configuration Fail2ban (pour ssh)
vi /etc/fail2ban/fail2ban.conf
Copier le fichier d'exemple puis le modifier
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local vi /etc/fail2ban/jail.local
Configuration rkhunter
vi /etc/default/rkhunter vi /etc/rkhunter.conf
aptitude install bind9 bind9-host dnsutils
Installation RVM et Ruby
sudo apt-get install git-core -y sudo apt-get install build-essential -y #install rvm and gems curl -s -o rvm-installer https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer chmod u+x rvm-installer # install globally as sudo. VERY IMPORTANT sudo ./rvm-installer stable source /usr/local/rvm/scripts/rvm sudo usermod -a -G rvm chad newgrp - rvm # the - is VERY important rvm pkg install zlib rvm install 1.9.2 rvm use 1.9.2@jekyll rvm default 1.9.2@jekyll gem install jekyll compass rdiscount --no-ri --no-rdoc
Installation lighttpd et php5
apt-get install lighttpd libterm-readline-gnu-perl php5-cgi which php5-cgi
/usr/bin/php-cgi
Open lighttpd configuration file:
- vi /etc/lighttpd/lighttpd.conf
First add the module mod_fastcgi (lighttpd provides an interface to a external programs that support the FastCGI interface via this module). Make sure your server.modules loades mod_fastcgi:
server.modules = (
"mod_access",
"mod_accesslog",
"mod_fastcgi",
"mod_rewrite",
"mod_auth"
)
Now add following lines to configuration:
fastcgi.server = ( ".php" => ((
"bin-path" => "/usr/bin/php-cgi",
"socket" => "/tmp/php.socket"
)))
Save the configuration and close all the files. Restart the lighttpd:
- /etc/init.d/lighttpd restart
sudo apt-get install php5-cgi -y
Installation Mysql
aptitude install mysql-server-5.1 mysql-client-5.1 php5-mysql automysqlbackup
Monitoring et backup
aptitude install rdiff-backup munin munin-node
Configuration de munin
nano /etc/munin/munin.conf.
dbdir /var/lib/munin/ htmldir /var/www/munin/ logdir /var/log/munin rundir /var/run/munin/
[vps]
address 127.0.0.1
use_node_name yes
nano /etc/munin/munin-node.conf
#host * host 127.0.0.1
Suivi Postfix
ln -s /usr/share/munin/plugins/postfix_mailstats /etc/munin/plugins/postfix_mailstats ln -s /usr/share/munin/plugins/postfix_mailqueue /etc/munin/plugins/postfix_mailqueue ln -s /usr/share/munin/plugins/postfix_mailvolume /etc/munin/plugins/postfix_mailvolume
nano /etc/munin/plugin-conf.d/munin-node :
[postfix_mailstats] group adm
[postfix_mailqueue] user (postfix)
[postfix_mailvolume] group adm env.logfile mail.log
Suivi Mysql
ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads
nano /etc/munin/plugin-conf.d/munin-node :
[mysql*] user root env.mysqlopts --defaults-extra-file=/etc/mysql/debian.cnf
Suivi lighttpd
wget https://github.com/rtucker/munin-lighttpd/raw/master/lighttpd_ -O /usr/share/munin/plugins/lighttpd chmod 755 /usr/share/munin/plugins/lighttpd ln -s path_to_this_script /etc/munin/plugins/lighttpd_accesses ln -s path_to_this_script /etc/munin/plugins/lighttpd_busyservers ln -s path_to_this_script /etc/munin/plugins/lighttpd_idleservers ln -s path_to_this_script /etc/munin/plugins/lighttpd_kbytes ln -s path_to_this_script /etc/munin/plugins/lighttpd_uptime
nano /etc/lighttpd/lighttpd.conf
"mod_status",
$HTTP["remoteip"] == "127.0.0.1" {
status.status-url = "/server-status"
}
Nano /etc/munin/plugin-conf.d/munin-node :
[lighttpd*] env.statusurl http://127.0.0.1/server-status?auto
Suivi Bind
wget http://wiki.queret.net/_media/docs/monitoring/bind9_queries_incoming.txt -O /usr/share/munin/plugins/bind9_queries_incoming wget http://wiki.queret.net/_media/docs/monitoring/bind9_resolver.txt -O /usr/share/munin/plugins/bind9_resolver wget http://wiki.queret.net/_media/docs/monitoring/bind9_server_stats.txt -O /usr/share/munin/plugins/bind9_server_stats chmod 755 /usr/share/munin/plugins/bind9_* ln -s /usr/share/munin/plugins/bind9_queries_incoming /etc/munin/plugins/bind9_queries_incoming ln -s /usr/share/munin/plugins/bind9_resolver /etc/munin/plugins/bind9_resolver ln -s /usr/share/munin/plugins/bind9_server_stats /etc/munin/plugins/bind9_server_stats
nano /etc/munin/plugin-conf.d/munin-node :
[bind*] user bind env.bind_stat_file /var/cache/bind/named.stats env.bind_rndc /usr/sbin/rndc
Vérifier que la commande rndc status ne renvoie pas une erreur
Et on termine par
sudo /etc/init.d/munin-node restart
http://www.debuntu.org/how-to-monitoring-a-server-with-munin
Backup à distance
rsync -e "ssh -p 10000 -i /root/.ssh/id_rsa" -az --delete-after kta@vps.arthion.fr:/var/backup /mnt/shares/home/vps/
Acceder au serveur avec dropbear et clé
http://yorkspace.wordpress.com/2009/04/08/using-public-keys-with-dropbear-ssh-client/
mettre en place un bakcup auto a distance (cron, rsync...)
http://troy.jdmz.net/rsync/index.html
Ressources diverses
Explications sur le hostname
http://jblevins.org/log/hostname
http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-lighttpd-et-php-sur-debian-4-0-etch
Mysql (tres serré)
http://chrisjohnston.org/tech/configuring-a-lightweight-apache-mysql-install-on-debian-ubuntu
(actuel) http://web.archive.org/web/20100129020122/http://www.agnivo.com/tech/vps-mysql-and-apache-optimization-guide-27.html
Ou aussi (plus strict qu'actuel aussi)
key_buffer = 16K
max_allowed_packet = 1M
thread_stack = 64K
table_cache = 4
sort_buffer = 64K
net_buffer_length = 2K
skip-innodb
Compiler Mysql
http://freenuts.com/how-to-install-mysql-on-a-vps/
Script d'install automatique
https://github.com/lowendbox/lowendscript/raw/master/setup-debian.sh
wget https://github.com/lowendbox/lowendscript/raw/master/setup-debian.sh && chmod +x setup-debian.sh &&./setup-debian.sh
https://library.linode.com
du -sh
id kta
Idées pour backup (rotation des fichiers torp vieux)
https://github.com/kdeldycke/scripts/blob/master/website-backup.py
Réduire l'utilisation mémoire d'un vps
http://www.webhostingtalk.com/showthread.php?t=855618
Source du script iptable utilisé sur le vps
http://kipz.org/blog/?p=25
To make it run on automatically, I just:
1) Put it somewhere nice:
/usr/local/bin/vpsfw
2) Fix the permissions
chmod 550 /usr/local/bin/vpsfw
3) Fix the ownership
chown root:root /usr/local/bin/vpsfw
4) Add the following to the end of /etc/rc.local
/usr/local/bin/vpsfw
Nettoyer le cache ligghtpd
http://bash.cyberciti.biz/file-management/cleaning-webserver-cache-script/
Dropbox et jekyll
usermod -g www tony
