MitsuhaMiyamizu · May 17, 2016 04:44 · MitsuhaMiyamizu · May 17, 2016
diff --git a/gentoo-linode-vps-setup b/gentoo-linode-vps-setup
 Update the GCC and the whole system, using hardened GCC to get every package hardened.
 # emerge --sync
 # eselect news read new
 # emerge eix
 # eix-update
 # screen -R eme
 # eselect profile list
 # eselect profile set [hardening profile number]
 # source /etc/profile
 # emerge --oneshot gcc
 # emerge --oneshot binutils virtual/libc
 # emerge --update --deep --with-bdeps=y --newuse --autounmask-write world
 修改防火墙设置，禁止ping，以及只允许http/https连入，默认放行SSH/tcp
 # ufw default reject
 # ufw allow 22/tcp
 # ufw allow in http
 # ufw allow in https
 # vim /etc/ufw/before.rules

 #修改配置#允许ping
 # -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
 #禁止ping
 # -A ufw-before-input -p icmp --icmp-type echo-request -j DROP

 # nano /etc/conf.d/hostname
 # echo clock="local" >> /etc/conf.d/hwclock

 # echo 'LANG="en_US.UTF-8"' > /etc/env.d/02local
 # echo 'LC_COLLATE="C"' >> /etc/env.d/02local
 # locale-gen

 # echo "gem: --no-ri --no-rdoc" > /etc/skel/.gemrc

 # echo "umask 002" >> /etc/skel/.bashrc
 # echo "export RBENV_ROOT=/usr/local/rbenv" >> /etc/skel/.bashrc
 # echo 'export PATH="$RBENV_ROOT/shims:$RBENV_ROOT/bin:$PATH"' >> /etc/skel/.bashrc

 # groupadd web, sftponly
 # useradd -m -g web -G users,wheel,cron -s /bin/bash your_regular_user
 # passwd your_regular_user

 # useradd -m -g web -G users,cron -s /bin/bash deployer
 # passwd deployer

 # useradd -m -g web -G users,[wheel],[sftponly],[cron] -s /bin/bash hosted_site_user
 # passwd hosted_site_user

 # chgrp root /home/hosted_site_user
 # chown root /home/hosted_site_user
 # mkdir /home/hosted_site_user/www
 # mkdir /home/hosted_site_user/www/app
 # chmod g+w /home/hosted_site_user/www/app
 # chgrp web /home/hosted_site_user/www/app
 # chown hosted_site_user /home/hosted_site_user/www/app

 [sftponly] -> add sftp access and blocks remote ssh login

 # cp /usr/share/zoneinfo/Europe/Rome /etc/localtime
 # echo "Europe/Rome" > /etc/timezone
 # netselect -s 3 pool.ntp.org >> /etc/ntp.conf

 # USE="-perl nginx_modules_http_gzip_static -nginx_modules_http_geo -X -alsa -cups -ant" >> /etc/make.conf
 # emerge nginx sqlite git

 # nano /etc/ssh/sshd_config
  Subsystem       sftp    internal-sftp

  Match Group sftponly
    ChrootDirectory %h/www/
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp -u 0002

 # emerge -a --depclean
 # emerge -uDNa --with-bdeps=y world
 # revdep-rebuild


 # Shared rbenv

 # cd /usr/local
 # git clone git://github.com/sstephenson/rbenv.git rbenv
 # chgrp -R web rbenv/
 # chmod g+w rbenv/

 # mkdir /usr/local/rbenv/plugins
 # cd /usr/local/rbenv/plugins
 # git clone git://github.com/sstephenson/ruby-build.git
 # chgrp -R web ruby-build

 # emerge libyaml

 $ rbenv install --list
 $ rbenv install 1.9.3-p362
 $ rbenv rehash
 $ rbenv global 1.9.3-p362

 $ gem install bundler
	Update the GCC and the whole system, using hardened GCC to get every package hardened.
	# emerge --sync
	# eselect news read new
	# emerge eix
	# eix-update
	# screen -R eme
	# eselect profile list
	# eselect profile set [hardening profile number]
	# source /etc/profile
	# emerge --oneshot gcc
	# emerge --oneshot binutils virtual/libc
	# emerge --update --deep --with-bdeps=y --newuse --autounmask-write world
	修改防火墙设置，禁止ping，以及只允许http/https连入，默认放行SSH/tcp
	# ufw default reject
	# ufw allow 22/tcp
	# ufw allow in http
	# ufw allow in https
	# vim /etc/ufw/before.rules

	#修改配置#允许ping
	# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
	#禁止ping
	# -A ufw-before-input -p icmp --icmp-type echo-request -j DROP

	# nano /etc/conf.d/hostname
	# echo clock="local" >> /etc/conf.d/hwclock

	# echo 'LANG="en_US.UTF-8"' > /etc/env.d/02local
	# echo 'LC_COLLATE="C"' >> /etc/env.d/02local
	# locale-gen

	# echo "gem: --no-ri --no-rdoc" > /etc/skel/.gemrc

	# echo "umask 002" >> /etc/skel/.bashrc
	# echo "export RBENV_ROOT=/usr/local/rbenv" >> /etc/skel/.bashrc
	# echo 'export PATH="$RBENV_ROOT/shims:$RBENV_ROOT/bin:$PATH"' >> /etc/skel/.bashrc

	# groupadd web, sftponly
	# useradd -m -g web -G users,wheel,cron -s /bin/bash your_regular_user
	# passwd your_regular_user

	# useradd -m -g web -G users,cron -s /bin/bash deployer
	# passwd deployer

	# useradd -m -g web -G users,[wheel],[sftponly],[cron] -s /bin/bash hosted_site_user
	# passwd hosted_site_user

	# chgrp root /home/hosted_site_user
	# chown root /home/hosted_site_user
	# mkdir /home/hosted_site_user/www
	# mkdir /home/hosted_site_user/www/app
	# chmod g+w /home/hosted_site_user/www/app
	# chgrp web /home/hosted_site_user/www/app
	# chown hosted_site_user /home/hosted_site_user/www/app

	[sftponly] -> add sftp access and blocks remote ssh login

	# cp /usr/share/zoneinfo/Europe/Rome /etc/localtime
	# echo "Europe/Rome" > /etc/timezone
	# netselect -s 3 pool.ntp.org >> /etc/ntp.conf

	# USE="-perl nginx_modules_http_gzip_static -nginx_modules_http_geo -X -alsa -cups -ant" >> /etc/make.conf
	# emerge nginx sqlite git

	# nano /etc/ssh/sshd_config
	Subsystem sftp internal-sftp

	Match Group sftponly
	ChrootDirectory %h/www/
	AllowTCPForwarding no
	X11Forwarding no
	ForceCommand internal-sftp -u 0002

	# emerge -a --depclean
	# emerge -uDNa --with-bdeps=y world
	# revdep-rebuild


	# Shared rbenv

	# cd /usr/local
	# git clone git://github.com/sstephenson/rbenv.git rbenv
	# chgrp -R web rbenv/
	# chmod g+w rbenv/

	# mkdir /usr/local/rbenv/plugins
	# cd /usr/local/rbenv/plugins
	# git clone git://github.com/sstephenson/ruby-build.git
	# chgrp -R web ruby-build

	# emerge libyaml

	$ rbenv install --list
	$ rbenv install 1.9.3-p362
	$ rbenv rehash
	$ rbenv global 1.9.3-p362

	$ gem install bundler