Installation VPS
Installation
Configurer le sous domaine vers l'IP dans l'admin OVH
Config de base
Compte Root, user et SSH
Modifier le mot de passe root ayant été envoyé par mail
passwd root
Créer un user de base pour la connexion ssh
adduser nouveauuser
aptitude install sudo visudo
ajouter nouveuuser dans la liste des sudoers
Ajouter la clé publique pour la future connexion ssh de l'utilisateur
su nouveauuser
Clé publique à déposer dans :
~/.ssh/authorized_keys
Modifier la configuration SSH vi /etc/ssh/sshd_config
Port 10000 # Changer le port par défaut PermitRootLogin no # Ne pas permettre de login en root Protocol 2 # Protocole v2 #AllowUsers nouveauuser # N'autoriser qu'un utilisateur PubkeyAuthentication yes # Autoriser uniquement l'authentification par clé #PasswordAuthentication no # Refuser l'authentification par mot de passe - N'activer qu'après avoir confirmé connexion par clé.
Redémarrer le service SSH après ces modifications :
/etc/init.d/ssh restart
Configuration des locales ainsi que du fuseau horaire
dpkg-reconfigure locales dpkg-reconfigure tzdata
Mettre a jour le system et reboot
aptitude update && aptitude full-upgrade
Configuration réseau
vi /etc/hostname et indiquer le reverse configuré chez OVH
vi /etc/hosts
127.0.0.1 localhost xx.x.xxx.xxx truc.machin.com truc
vi /etc/resolv.conf
nameserver ip_serveur_maitre nameserver ip_serveur_dns_2
Ne pas répondre aux ping broadcast
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Désactiver le routage de paquets d'origine interne (a tester si ne pose pas de pb avec les VM)
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
Refuser les messages de réponse icmp invalides
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
Redémarrer le reseau
/etc/init.d/networking restart
Vérifications
hostname -f
doit retourner le FQDN soit truc.machin.com
hostname -s
doit retourner le nom court, soit openvz
hostname -d
doit retourner le domaine, soit machin.com
hostname -i
retourne l'adresse IP
Firewall
Modifier le fichier sysctl.conf afin de permettre le forwarding ipv4 :(ne devrait pas etre nécéssaire)
Consulter /etc/network/interfaces et voir quelles interfaces sont établies par défaut par OVH.
vi /etc/init.d/firewall
#!/bin/bash ### BEGIN INIT INFO # Provides: Firewall # Required-Start: # Required-Stop: # Should-Start: # Should-Stop: # X-Start-Before: # X-Stop-After: # Default-Start: # Default-Stop: # X-Interactive: true # Short-Description: VPS Firewall # Description: ### END INIT INFO # VPS Firewall script # Copyright (C) 2011, James Carnegie me@kipz.org # This program may be freely redistributed under the terms of the GNU GPL # External interface name here EXTIF="venet0" # VPS main IP here EXTIP="37.59.224.169" # Your DNS server NSIP="213.186.33.99" # Flush iptables iptables -F # Setting default filter policy DROP all iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Allow unlinited traffic on both lo and $EXTIF iptables -A INPUT -i $EXTIF -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -o $EXTIF -d 127.0.0.1 -j ACCEPT # Allow loop back to speak to loop back iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT # Block weird some stuff iptables -A INPUT -s $EXTIP -j DROP iptables -A OUTPUT -d $EXTIP -j DROP # Stop floods iptables -N flood iptables -A INPUT -p tcp --syn -j flood iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A flood -j DROP # Drop all incoming fragments iptables -A INPUT -f -j DROP # Drop all incoming malformed XMAS packets iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Drop all incoming malformed NULL packets iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Bad incoming source ip address 0.0.0.0/8 iptables -A INPUT -s 0.0.0.0/8 -j DROP # Bad incoming source ip address 127.0.0.0/8 iptables -A INPUT -s 127.0.0.0/8 -j DROP # Bad incoming source ip address 10.0.0.0/8 iptables -A INPUT -s 10.0.0.0/8 -j DROP # Bad incoming source ip address 172.16.0.0/12 iptables -A INPUT -s 172.16.0.0/12 -j DROP # Bad incoming source ip address 192.168.0.0/16 iptables -A INPUT -s 192.168.0.0/16 -j DROP # Bad incoming source ip address 224.0.0.0/3 iptables -A INPUT -s 224.0.0.0/3 -j DROP # Incoming HTTP/HTTPS iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $EXTIP --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp -s $EXTIP --sport 80 -d 0/0 --dport 1024:65535 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $EXTIP --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp -s $EXTIP --sport 443 -d 0/0 --dport 1024:65535 -j ACCEPT # Incoming SMTP #iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $EXTIP --dport 25 -j ACCEPT #iptables -A OUTPUT -p tcp -s $EXTIP --sport 25 -d 0/0 --dport 1024:65535 -j ACCEPT # Incoming SSH iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d $EXTIP --dport 10000 -j ACCEPT iptables -A OUTPUT -p tcp -s $EXTIP --sport 10000 -d 0/0 --dport 513:65535 -j ACCEPT # Outgoing DNS iptables -A OUTPUT -p udp -s $EXTIP --sport 1024:65535 -d $NSIP --dport 53 -j ACCEPT iptables -A INPUT -p udp -s $NSIP --sport 53 -d $EXTIP --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp -s $EXTIP --sport 1024:65535 -d $NSIP --dport 53 -j ACCEPT iptables -A INPUT -p tcp -s $NSIP --sport 53 -d $EXTIP --dport 1024:65535 -j ACCEPT # Outgoing ICMP iptables -A OUTPUT -p icmp -s $EXTIP -d 0/0 -j ACCEPT iptables -A INPUT -p icmp -s 0/0 -d $EXTIP -j ACCEPT # Outgoing traceroute iptables -A OUTPUT -p udp -s $EXTIP --sport 1024:65535 -d 0/0 --dport 33434:33523 -j ACCEPT # Outgoing SMTP #iptables -A OUTPUT -p tcp -s $EXTIP --sport 1024:65535 -d 0/0 --dport 25 -j ACCEPT #iptables -A INPUT -p tcp -s 0/0 --sport 25 -d $EXTIP --dport 1024:65535 -j ACCEPT # Outgoing SSH #iptables -A OUTPUT -p tcp -s $EXTIP --sport 513:65535 -d 0/0 --dport 22 -j ACCEPT #iptables -A INPUT -p tcp -s 0/0 --sport 22 -d $EXTIP --dport 513:65535 -j ACCEPT # outgoing HTTP/HTTPS iptables -A OUTPUT -p tcp -s $EXTIP --sport 1024:65535 -d 0/0 --dport 80 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 80 -d $EXTIP --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp -s $EXTIP --sport 1024:65535 -d 0/0 --dport 443 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 443 -d $EXTIP --dport 1024:65535 -j ACCEPT # Drop everything else iptables -A INPUT -s 0/0 -j DROP iptables -A OUTPUT -d 0/0 -j DROP
chmod +x /etc/init.d/firewall
En cas d'erreur, redémarrer le serveur
Afin de l'ajouter aux scripts appelés au démarrage :
update-rc.d firewall defaults
Pour le retirer, utiliser la commande suivante :
update-rc.d -f firewall remove
/etc/init.d/firewall pour activer le filtrage.
Applications
Synchro du temps
Applis
aptitude install fail2ban rkhunter rcconf
Rcconf permet de gérer les applis au boot. Pratique.
Configuration pound
## redirect all requests on port 8080 ("ListenHTTP") to the local webserver (see "Service" below): ListenHTTP Address 91.121.173.80 Port 80 # my services definition Service HeadRequire "Host:.*www.domaine.net.*" BackEnd Address vz-opensso Port 8180 End End Service HeadRequire "Host:.*abcd.domaine.net.*" BackEnd Address vz-pouet Port 81 End End End
Configuration Fail2ban (pour ssh)
vi /etc/fail2ban/fail2ban.conf
Copier le fichier d'exemple puis le modifier
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local vi /etc/fail2ban/jail.local
Configuration rkhunter
vi /etc/default/rkhunter vi /etc/rkhunter.conf
aptitude install bind9 bind9-host dnsutils
Installation RVM et Ruby
sudo apt-get install git-core -y sudo apt-get install build-essential -y #install rvm and gems curl -s -o rvm-installer https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer chmod u+x rvm-installer # install globally as sudo. VERY IMPORTANT sudo ./rvm-installer stable source /usr/local/rvm/scripts/rvm sudo usermod -a -G rvm chad newgrp - rvm # the - is VERY important rvm pkg install zlib rvm install 1.9.2 rvm use 1.9.2@jekyll rvm default 1.9.2@jekyll gem install jekyll compass rdiscount --no-ri --no-rdoc
Pour mettre en place un environnement de développement isolé, on crée un user git qui hebergera tous les repos git.
adduser git sudo usermod -a -G rvm git mkdir /home/git/.ssh
On ajoute le path RVM dans git (utilisé pour le déploiement des blogs) nano /home/git/.bashrc
COMMENTER [ -z "$PS1" ] && return export PATH=/usr/local/rvm/bin:$PATH source /usr/local/rvm/scripts/rvm
Déposer les clés ssh dans autorized_keys
chown -R git:git /home/git/.ssh chmod 700 !$ chmod 600 /home/git/.ssh/*
A partir d'ici, on teste la connexion : ssh git@vps.com
Pour ajouter les dépots git :
git --bare init dépot.git
Sur la machine de dev :
git remote add origin ssh://git@myserver.com:2207/~/myrepo.git git push origin master
Pour définir un master et un merge par défaut dans git :
git config branch.master.remote origin && git config branch.master.merge refs/heads/master
Installation lighttpd et php5
apt-get install lighttpd libterm-readline-gnu-perl php5-cgi which php5-cgi
/usr/bin/php-cgi
Open lighttpd configuration file:
- vi /etc/lighttpd/lighttpd.conf
First add the module mod_fastcgi (lighttpd provides an interface to a external programs that support the FastCGI interface via this module). Make sure your server.modules loades mod_fastcgi:
server.modules = (
"mod_access", "mod_accesslog", "mod_fastcgi", "mod_rewrite", "mod_auth"
)
Now add following lines to configuration:
fastcgi.server = ( ".php" => ((
"bin-path" => "/usr/bin/php-cgi", "socket" => "/tmp/php.socket" )))
Save the configuration and close all the files. Restart the lighttpd:
- /etc/init.d/lighttpd restart
sudo apt-get install php5-cgi -y
Installation Mysql
aptitude install mysql-server-5.1 mysql-client-5.1 php5-mysql automysqlbackup
Configuration automysqlbackup : nano /etc/default/automysqlbackup
BACKUPDIR="/var/backup/automysqlbackup"
Monitoring et backup
aptitude install rdiff-backup munin munin-node
Mise en place des backups
Créer un fichier dans ~/cron/website-backup
#!/bin/sh nice -n 19 rdiff-backup --exclude /var/www/munin /var/www/ /var/backup/www/ chmod -R 777 /var/backup
Ajouter un appel au fichier dans crontab avec crontab -e:
0 3 * * * /home/kta/cron/website_backup
Configuration de munin
nano /etc/munin/munin.conf.
dbdir /var/lib/munin/ htmldir /var/www/munin/ logdir /var/log/munin rundir /var/run/munin/
[vps]
address 127.0.0.1 use_node_name yes
nano /etc/munin/munin-node.conf
#host * host 127.0.0.1
Suivi Postfix
ln -s /usr/share/munin/plugins/postfix_mailstats /etc/munin/plugins/postfix_mailstats ln -s /usr/share/munin/plugins/postfix_mailqueue /etc/munin/plugins/postfix_mailqueue ln -s /usr/share/munin/plugins/postfix_mailvolume /etc/munin/plugins/postfix_mailvolume
nano /etc/munin/plugin-conf.d/munin-node :
[postfix_mailstats] group adm
[postfix_mailqueue] user (postfix)
[postfix_mailvolume] group adm env.logfile mail.log
Suivi Mysql
ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads
nano /etc/munin/plugin-conf.d/munin-node :
[mysql*] user root env.mysqlopts --defaults-extra-file=/etc/mysql/debian.cnf
Suivi lighttpd
wget https://github.com/rtucker/munin-lighttpd/raw/master/lighttpd_ -O /usr/share/munin/plugins/lighttpd chmod 755 /usr/share/munin/plugins/lighttpd ln -s path_to_this_script /etc/munin/plugins/lighttpd_accesses ln -s path_to_this_script /etc/munin/plugins/lighttpd_busyservers ln -s path_to_this_script /etc/munin/plugins/lighttpd_idleservers ln -s path_to_this_script /etc/munin/plugins/lighttpd_kbytes ln -s path_to_this_script /etc/munin/plugins/lighttpd_uptime
nano /etc/lighttpd/lighttpd.conf
"mod_status", $HTTP["remoteip"] == "127.0.0.1" { status.status-url = "/server-status" }
Nano /etc/munin/plugin-conf.d/munin-node :
[lighttpd*] env.statusurl http://127.0.0.1/server-status?auto
Suivi Bind
wget http://wiki.queret.net/_media/docs/monitoring/bind9_queries_incoming.txt -O /usr/share/munin/plugins/bind9_queries_incoming wget http://wiki.queret.net/_media/docs/monitoring/bind9_resolver.txt -O /usr/share/munin/plugins/bind9_resolver wget http://wiki.queret.net/_media/docs/monitoring/bind9_server_stats.txt -O /usr/share/munin/plugins/bind9_server_stats chmod 755 /usr/share/munin/plugins/bind9_* ln -s /usr/share/munin/plugins/bind9_queries_incoming /etc/munin/plugins/bind9_queries_incoming ln -s /usr/share/munin/plugins/bind9_resolver /etc/munin/plugins/bind9_resolver ln -s /usr/share/munin/plugins/bind9_server_stats /etc/munin/plugins/bind9_server_stats
nano /etc/munin/plugin-conf.d/munin-node :
[bind*] user bind env.bind_stat_file /var/cache/bind/named.stats env.bind_rndc /usr/sbin/rndc
Vérifier que la commande rndc status ne renvoie pas une erreur
Et on termine par
sudo /etc/init.d/munin-node restart
http://www.debuntu.org/how-to-monitoring-a-server-with-munin
Backup à distance
rsync -e "ssh -p 10000 -i /root/.ssh/id_rsa" -az --delete-after kta@vps.arthion.fr:/var/backup /mnt/shares/home/vps/
Acceder au serveur avec dropbear et clé
http://yorkspace.wordpress.com/2009/04/08/using-public-keys-with-dropbear-ssh-client/
mettre en place un bakcup auto a distance (cron, rsync...)
http://troy.jdmz.net/rsync/index.html
Sécuriser Postfix
Lors de l'installation de l'interface proxmox, postfix
a été automatiquement installé.
Modifiez la configuration de postfix dans /etc/postfix/main.cf
comme suit :
# See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = onyx.csnu.org mydomain = onyx.csnu.org alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = onyx.csnu.org, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24 mailbox_size_limit = 0 recipient_delimiter = + inet_protocols = all inet_interfaces = 127.0.0.1, [::1], 192.168.0.1, 91.121.141.220, [2001:41d0:1:bcdc::220] smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname
Pour la partie SSL suivre : http://wiki.csnu.org/index.php?title=Installation_et_configuration_de_OpenSSL
Puis : Si vous avez votre propre autorité ssl, vous pouvez générer votre propre certificat.
Ajoutez les lignes suivantes dans /etc/ssl/openssl.cnf
:
[POSTFIX] nsComment = "SMTP Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment nsCertType = server extendedKeyUsage = serverAuth
Puis générez la clé et le certificat, et signez le avec votre autorité (onyx_ca dans mon cas) :
openssl req -config /etc/ssl/openssl.cnf -nodes -newkey rsa:2048 -keyout postfix.key -out postfix.req openssl ca -config /etc/ssl/openssl.cnf -name onyx_ca -extensions POSTFIX -in postfix.req -out postfix.pem
Déplacez les fichiers dans le répertoire /etc/postfix/ssl
:
mkdir /etc/postfix/ssl mv postfix.key /etc/postfix/ssl/ mv postfix.pem /etc/postfix/ssl/ chmod 600 /etc/postfix/ssl/* cat /etc/ssl/root_ca/root_ca.pem /etc/ssl/onyx_ca/onyx_ca.pem > /etc/postfix/ssl/ca_chain.pem
Il faut encore modifier /etc/postfix/main.cf
:
smtpd_tls_cert_file=/etc/postfix/ssl/postfix.pem smtpd_tls_key_file=/etc/postfix/ssl/postfix.key smtpd_tls_CAfile=/etc/ssl/csnu.org/ca.pem smtpd_use_tls=yes smtp_tls_cert_file=/etc/postfix/ssl/postfix.pem smtp_tls_key_file=/etc/postfix/ssl/postfix.key smtp_tls_CAfile=/etc/postfix/ssl/ca_chain.pem
Ressources diverses
Explications sur le hostname
http://jblevins.org/log/hostname
http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-lighttpd-et-php-sur-debian-4-0-etch
(Non testé)Script d'install automatique
https://github.com/lowendbox/lowendscript/raw/master/setup-debian.sh
wget https://github.com/lowendbox/lowendscript/raw/master/setup-debian.sh && chmod +x setup-debian.sh &&./setup-debian.sh
https://library.linode.com
du -sh
id kta
Réduire l'utilisation mémoire d'un vps
http://www.webhostingtalk.com/showthread.php?t=855618
Source du script iptable utilisé sur le vps
http://kipz.org/blog/?p=25
To make it run on automatically, I just:
1) Put it somewhere nice:
/usr/local/bin/vpsfw
2) Fix the permissions
chmod 550 /usr/local/bin/vpsfw
3) Fix the ownership
chown root:root /usr/local/bin/vpsfw
4) Add the following to the end of /etc/rc.local
/usr/local/bin/vpsfw
Nettoyer le cache ligghtpd
http://bash.cyberciti.biz/file-management/cleaning-webserver-cache-script/
http://www.debianadmin.com/manage-linux-init-or-startup-scripts.html
Mysql
Mysql (tres serré)
http://chrisjohnston.org/tech/configuring-a-lightweight-apache-mysql-install-on-debian-ubuntu
(actuel) http://web.archive.org/web/20100129020122/http://www.agnivo.com/tech/vps-mysql-and-apache-optimization-guide-27.html
Ou aussi (plus strict qu'actuel aussi)
key_buffer = 16K
max_allowed_packet = 1M
thread_stack = 64K
table_cache = 4
sort_buffer = 64K
net_buffer_length = 2K
skip-innodb
Compiler Mysql
http://freenuts.com/how-to-install-mysql-on-a-vps/
Backup:
http://doc.ubuntu-fr.org/automysqlbackup
Monitoring
http://munin-monitoring.org/wiki/Debugging_Munin_plugins
http://wiki.queret.net/docs/monitoring/munin#postfix
https://github.com/rtucker/munin-lighttpd/blob/master/lighttpd_
http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModStatus
http://munin-monitoring.org/ticket/869
Git
http://tumblr.intranation.com/post/766290565/how-set-up-your-own-private-git-server-linux
Backup
http://doc.ubuntu-fr.org/rdiff-backup
Idées pour backup (rotation des fichiers torp vieux)
https://github.com/kdeldycke/scripts/blob/master/website-backup.py
http://doc.ubuntu-fr.org/rsync