LARP [ Linux (Ubuntu/14.04) Apache/2.4 RethinkDB PHP/5.4 ] Linode Setup Steps

Set hostname

echo "foobar" > /etc/hostname
hostname -F /etc/hostname

If this file exists

$ nano /etc/default/dhcpcd

Comment out SET_HOSTNAME

#SET_HOSTNAME='yes'

Update Hosts file

nano /etc/hosts

with

198.51.100.0 foobar.example.com foobar
2001:db8:100:f101:210:a4ff:fee3:9566 foobar.example.com foobar

Note: Add DNS records:

foobar.example.com A 198.51.100.0
foobar.example.com AAAA 2001:db8:100:f101:210:a4ff:fee3:9566

Set timezone (by default it's UTC so don't do this if you want to leave it at UTC):
```
dpkg-reconfigure tzdata
```
check timezone
```
date
```
Optionally setup ntp (See https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-12-04)
```
sudo apt-get install ntp
```

Update system

apt-get update
apt-get upgrade --show-upgraded

Add user and give it sudo rights
```
adduser foobaruser
usermod -a -G sudo foobaruser  
```
Note: Alternatives: gpasswd -a demo sudo (https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04)

Logout and login with new username
```
^D
ssh [email protected]
```
Setting up SSH Key Pair Authentication (To use key pair authentication without a passphrase, press Enter when prompted for a passphrase.)

Note: Do this on your local machine.
```
ssh-keygen
```
Two files will be created in your ~/.ssh directory: id_rsa and id_rsa.pub. The public key is id_rsa.pub - this file will be uploaded to your Linode. The other file is your private key. Do not share this file with anyone!
```
scp ~/.ssh/id_rsa.pub [email protected]:
ssh [email protected]
cd /home/foobaruser
mkdir .ssh
mv id_rsa.pub .ssh/authorized_keys
chown -R $USER:$USER .ssh
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
```
logout and login to test:
```
^D
ssh [email protected]
```
Disabling [SSH Password Authentication and] Root Login
```
sudo nano /etc/ssh/sshd_config
```
Disable PasswordAuthentication only if you won't be logging in from different servers and you have a fixed ip.
```
PasswordAuthentication no
PermitRootLogin no
```
restart SSH
```
sudo service ssh restart
```
Creating a Firewall using ufw`

Only allow incoming HTTP (80), HTTPS (443), SSH (22), and ping.
```
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
```
review and enable (this will apply the exceptions you made, block all other traffic, and configure your firewall to start automatically at boot.)
```
sudo ufw show added
sudo ufw enable
```
References:
- https://www.digitalocean.com/community/tutorials/additional-recommended-steps-for-new-ubuntu-14-04-servers
- https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server)
- https://wiki.ubuntu.com/UncomplicatedFirewall
- https://blog.dbrgn.ch/2013/5/16/ufw-firewall/
- https://help.ubuntu.com/community/UFW
For setting up firewall using iptables see: https://gist.github.com/sandeepshetty/df41bce7bf916bfaf75d
Installing and Configuring Fail2Ban
```
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
sudo service fail2ban restart
```
Notes:
- https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
- Can set the bantime variable to specify how long (in seconds) bans should last.
- Can set the maxretry variable to specify the default number of tries a connection may be attempted before an attacker's IP address is banned.
- logs /var/log/fail2ban.log
Install Postfix null client

(Note: select no configuration while installing postfix)
```
sudo apt-get install postfix
sudo cp /usr/share/postfix/main.cf.debian /etc/postfix/main.cf
sudo /usr/sbin/postconf -e "inet_interfaces = loopback-only"
sudo service postfix restart
```
test it out (install mail if it doesn't exist):
```
sudo apt-get install mailutils
echo "test" | mail -s "test" [email protected]
```
logs: /var/log/mail.log

See also:
- "postfix_install_loopback_only" here https://www.linode.com/stackscripts/view/1
- http://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client
Set up Apache
```
sudo apt-get update
sudo apt-get install apache2
```
check apache is up by visiting: http://foobar.example.com/

Optimize Apache

sudo cp /etc/apache2/apache2.conf /etc/apache2/apache2.backup.conf
sudo nano /etc/apache2/apache2.conf

Turn off KeepAlive and paste the module block to the end of apache2.conf

KeepAlive Off


<IfModule mpm_prefork_module>
StartServers 2
MinSpareServers 6
MaxSpareServers 12
MaxClients 80
MaxRequestsPerChild 3000
</IfModule>

Reference: https://www.linode.com/docs/websites/hosting-a-website#optimizing-apache-for-a-linode-1gb

Securing Apache:

sudo nano /etc/apache2/conf-enabled/security.conf

Set these:

ServerTokens Prod
ServerSignature Off
TraceEnable Off

Disabling SSLv3 (https://www.linode.com/docs/security/security-patches/disabling-sslv3-for-poodle#apache)

sudo nano /etc/apache2/mods-available/ssl.conf

Set this:

SSLProtocol All -SSLv2 -SSLv3

Setup virtual host

Disable the default Apache virtual host

sudo a2dissite *default

Create new virtual host directories

cd /var/www
sudo mkdir example.com

sudo mkdir -p example.com/public_html
sudo mkdir -p example.com/log
sudo mkdir -p example.com/backups

sudo chown -R $USER:$USER /var/www/example.com/public_html/
sudo chown -R $USER:$USER /var/www/example.com/log/
sudo chown -R $USER:$USER /var/www/example.comm/backups/

create new virtual host conf

sudo nano /etc/apache2/sites-available/example.com.conf

and copy paste this into it:

<VirtualHost *:80>
  ServerAdmin [email protected]
  ServerName  www.example.com
  ServerAlias example.com

  DirectoryIndex index.html index.php
  DocumentRoot /var/www/example.com/public_html

  <Directory /var/www/example.com/public_html/>
    AllowOverride All
    Require all granted
    Options -Indexes
    Options +FollowSymLinks
    Options -Multiviews
  </Directory>
  LogLevel warn
  ErrorLog  /var/www/example.com/log/error.log
  CustomLog /var/www/example.com/log/access.log combined
</VirtualHost>

Enable the new virtual host and the rewrite module and restart apache.

sudo a2ensite newsite.com.conf
sudo a2enmod rewrite
sudo service apache2 restart

Notes:

https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts

TODO:

SSL host
- https://github.com/sandeepshetty/stuff/blob/master/virtual-host-templates/
- https://www.linode.com/docs/security/ssl/ssl-certificates-with-apache-2-on-ubuntu

Set up PHP
```
sudo apt-get install php5
```
Test PHP by creating a file
```
sudo nano /var/www/html/info.php
```
and copying this into it:
```
<?php
phpinfo();
?>
```
Test in browser by visiting: http://foobar.example.com/info.php

delete the test file:
```
sudo rm /var/www/html/info.php
```
Install required modules

Search for required module (with example of searching for curl module)
```
apt-cache search php5-
apt-cache search php5- | grep curl
```
install and restart apache
```
sudo apt-get install php5-curl
sudo service apache2 restart
```

Optimize PHP

sudo nano /etc/php5/apache2/php.ini

Verify that the following values are set in php.ini

max_execution_time = 30
memory_limit = 128M
error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
display_errors = Off
log_errors = On
error_log = /var/log/php/error.log
register_globals = Off
# disable the X-Powered-By header:
expose_php = Off

create the log file and restart

sudo mkdir -p /var/log/php
sudo chown www-data /var/log/php
sudo service apache2 restart

Reference: https://www.linode.com/docs/websites/hosting-a-website#optimizing-php-for-a-linode-1gb

Install Rethinkdb

From http://rethinkdb.com/docs/install/ubuntu/

source /etc/lsb-release && echo "deb http://download.rethinkdb.com/apt $DISTRIB_CODENAME main" | sudo tee /etc/apt/sources.list.d/rethinkdb.list
wget -qO- http://download.rethinkdb.com/apt/pubkey.gpg | sudo apt-key add -
sudo apt-get update
sudo apt-get install rethinkdb

Automatically run RethinkDB on system startup (http://rethinkdb.com/docs/cluster-on-startup/)

sudo cp /etc/rethinkdb/default.conf.sample /etc/rethinkdb/instances.d/instance1.conf
sudo vim /etc/rethinkdb/instances.d/instance1.conf # Edit some options if needed
sudo /etc/init.d/rethinkdb restart

TODO: Figure out how to pin the version number so Rethinkdb is not automatically upgraded. See http://docs.mongodb.org/manual/tutorial/install-mongodb-on-ubuntu/#install-the-mongodb-packages

Securing RethinkDB (http://rethinkdb.com/docs/security/)

RethinkDB is secure because we've already blocked the port in the firewall.

To connect to the admin follow these steps

Start a tunnel From local machine:
```
ssh -D 3000 [email protected]
```
Create a new firefox profile (the rest of the instructions assumes you names this profile foobar):
```
firefox -p
```
Edit > Preferences > Advanced > Network > Settings: manual proxy configuration
- Socks host: localhost
- Port: 3000
- Check socks v5
- No proxy for: (remove everything)
Start new profile from CLI:
```
firefox -P "foobar" -no-remote
```
Backing up RethinkDB

TODO: http://rethinkdb.com/docs/backup/ (Somthing like automysqlbackup)

sandeepshetty/larp.md

avimar commented Jan 15, 2015