Download - 10 Steps To Well Configured VPS

1 0 S T E P S T O W E L L C O N F I G U R E D V P SF O R Y O U R W E B A P P. R U B A C I . C Z M A Y, 2 0 1 4

L I N U X D I S T R O

# NEVER Ubuntu XX.10 # 9 months !

# Yes Ubuntu XX.04 LTS # 5 years

H O S T I N G

# SSD DigitalOcean.com linode.com !

# AWS - Good for Dynamic Hosting aws.amazon.com

http://DigitalOcean.com

http://linode.com

http://aws.amazon.com

B A S I C U P D AT E

# Update all sudo apt-get -y update && sudo apt-get -y upgrade !# Basic packages sudo apt-get install build-essential git-core sudo apt-get install curl sudo apt-get install python-software-properties

N E V E R B E R O O T, N E V E R ! !

# Add deploy user adduser deploy --ingroup admin !# Switch to Deploy user su deploy cd # To home directory !# Allow deploy to run SUDO visudo root ALL=(ALL) ALL deploy ALL=(ALL) ALL

N O PA S S W O R D S P L E A S E !

# SSH with keys mkdir -p ~/.ssh touch ~/.ssh/authorized_keys sudo aptitude install vim vim ~/.ssh/authorized_keys !# OR cat ~/.ssh/id_rsa.pub | ssh deploy@ip 'cat >> ~/.ssh/authorized_keys'

S S H - S E R V E R# Change port to XXXX # And turn off Root login and forbid passwords sudo vim /etc/ssh/sshd_config >>>>>>>>>>>> Port 3245 PermitRootLogin no PermitEmptyPasswords no PasswordAuthentication no AllowUsers deploy@(your-ip) deploy@(another-ip-if-any) # Optional! <<<<<<<<<<<< !# Restart ssh deamon sudo service ssh restart

S S H - C L I E N T

# Generate SSH key ssh-keygen -t rsa !# ~/.ssh/config Host mojejmeno HostName mujserver.com # /etc/hosts nebo IP Port XXXX User deploy

http://mujserver.com

P R E V E N T AT TA C K S

# Firewall ufw allow 80 # HTTP ufw allow 443 # HTTPS ufw enable !# SSH ufw allow from {your-ip} to any port XXXX

P R E V E N T AT TA C K S # 2

# Fail2ban is a daemon that monitors login attempts to a server and blocks suspicious activity as it occurs. It’s well configured out of the box. apt-get install fail2ban

E N A B L E A U T O M AT I C S E C U R I T Y U P D AT E S# Install automatic upgrades apt-get install unattended-upgrades vim /etc/apt/apt.conf.d/10periodic >>>>>>>> APT::Periodic::Update-Package-Lists “1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade “1"; <<<<<<<< !# Setup only security upgrades vim /etc/apt/apt.conf.d/50unattended-upgrades >>>>>>>> Unattended-Upgrade::Allowed-Origins { "Ubuntu lucid-security"; // "Ubuntu lucid-updates"; }; <<<<<<<<

E M A I L N O T I F I C AT I O N

# Install LogWatch apt-get install logwatch vim /etc/cron.daily/00logwatch !# Setup email notification /usr/sbin/logwatch --output mail --mailto [email protected] --detail high

W H AT N E X T ?

# Troubleshooting http://devo.ps/blog/2013/03/06/troubleshooting-5minutes-on-a-yet-unknown-box.html !# Keep Swipe file Every good dev/ops should have swipe file of the best work and stuff he did or will repeat.

H A P P Y, V P S I N G ! ! !L A D I S L A V M A R T I N C I K { @ M A R T I N C I K }