What To Create Side Past Times Side Afterwards Spinning Upwards A Debian Vps

Recently, I opened an unmanaged VPS hosting trace of piece of job concern human relationship amongst Digital Ocean (of which I am an affiliate), in addition to created a barebone Debian virtual server. Because the hosting was unmanaged, I had to apply all the organization changes to the machine myself. Below were the steps I took to laid upward the Debian virtual machine afterwards spinning it upward for the outset time.

I assume that yous desire to laid upward the LAMP stack - Linux, Apache, MYSQL, PHP - on your machine.

1. SSH into the virtual machine.
   Before yous tin lavatory login, yous ask to know Earth IP address of the novel machine. Digital Ocean sends it to yous inward an email.

   $ ssh root@your.IP.address

2. Change root password.
   When yous outset login to the Digital Ocean server, yous are automatically prompted to move inward a novel password. If your VPS is amongst somebody else, alter the password amongst the next command.

   # passwd

3. Get to know your organization environment.

   • Which Linux release?

     # lsb_release -a

   • How much memory, in addition to swap space?

     # gratis -h

                 total used gratis shared buffers cached    Mem:         497M  64M 432M     0B    7.3M    33M      -/+ buffers/cache: 23M 473M      Swap:          0B   0B   0B

     Note: No swap infinite was pre-allocated.

   • How much disk space?

     # df -h

   • Is DNS configured?

     # truthful cat /etc/resolv.conf
nameserver 8.8.4.4
nameserver 8.8.8.8
nameserver 209.244.0.3

   • Which repositories?

     # truthful cat /etc/apt/sources.list
deb http://mirrors.digitalocean.com/debian wheezy master copy
deb http://security.debian.org/ wheezy/updates main

4. Update Debian.

   # apt-get update
# apt-get upgrade

5. Configure right timezone.

   Run the date ascendency to verify the electrical current time. If the fourth dimension looks wrong, your machine may live pre-configured to the incorrect timezone.

   # appointment Thu December four 00:07:37 UTC 2014

   The electrical current fourth dimension reported was inward the UTC timezone. But, I alive inward Vancouver, Canada which is inward the Pacific timezone. To alter the timezone, write the proper fourth dimension zone string to the file /etc/timezone, in addition to run dpkg-reconfigure.

   # echo America/Vancouver > /etc/timezone
# dpkg-reconfigure -f noninteractive tzdata
Current default fourth dimension zone: 'America/Vancouver'
Local fourth dimension is now: Midweek December three 16:08:58 PST 2014.
Universal Time is now: Thu December four 00:08:58 UTC 2014.

   Now, if yous run date, yous should encounter the right fourth dimension inward the local timezone.

   # appointment
Midweek December three 16:09:01 PST 2014

   Refer to my before post for to a greater extent than details.

6. Customize default text editor.

   If yous are non used to a text editor, it tin lavatory drive yous crazy. So, I alter the default text editor from nano to vim. You volition give cheers me when yous run visudo inward the adjacent step.

   Note: my outset alternative for text editor is emacs, only emacs is non installed past times default. Sigh.

   # update-alternatives --config editor

   Select /usr/bin/vim.tiny.

7. Add novel sudo user.

   Soon, I'll configure SSH to foreclose straight root login. Before that tin lavatory happen, a novel user is needed.

   First, practise a novel user every bit follows:

   # adduser peter

   Then, grant the novel user sudo privileges.

   # visudo

   Insert the next trace inward the User privilege specification section.

   peter ALL=(ALL:ALL) ALL

8. Tighten upward SSH security.

   • Disallow root login.

   # sed -i -e "s/^PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config

   • Change SSH port number from port 22 to port 2121.

   # sed -i -e "s/^Port 22/Port 2121/" /etc/ssh/sshd_config

   • Restart the SSH daemon.

   # service ssh restart

9. Build upward firewall.

   Run iptables to encounter how your firewall is currently configured:

   # iptables -L    Chain INPUT (policy ACCEPT) target  prot opt source   goal   Chain FORWARD (policy ACCEPT)  target  prot opt source   goal   Chain OUTPUT (policy ACCEPT)    target  prot opt source   destination

   Note: The firewall is laid upward past times default to convey everything.

   To ready a minimal firewall that allows incoming web, SSH in addition to ping traffic, number the next commands inward the specified order:

   # iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# iptables -I INPUT ii -i lo -j ACCEPT
# iptables -I INPUT three -m conntrack --ctstate NEW -p tcp --syn --dport eighty --j ACCEPT
# iptables -I INPUT four -m conntrack --ctstate NEW -p tcp --syn --dport 2121 --j ACCEPT
# iptables -I INPUT five -p icmp --icmp-type echo-request -m bound --limit 2/second -j ACCEPT
# iptables -P INPUT DROP
# iptables -P FORWARD DROP

   Inspect the novel firewall using the next command:

   # iptables -L -v

   Refer to my before post for to a greater extent than details on how to laid upward the firewall.

10. Save firewall configuration.

    The novel firewall configuration does non persist inward the outcome of a organization reboot. To relieve the firewall permanently, yous must outset install the iptables-persistent package.

    # apt-get install iptables-persistent

    The install plan volition inquire if yous desire to relieve the electrical current `iptables` rules. Answer yes.

    If yous brand to a greater extent than firewall changes afterwards installing the higher upward package, yous ask to explicitly relieve the rules using the ascendency below:

    # iptables-save > /etc/iptables/rules.v4

11. Deploy fail2ban.

    fail2ban scans organization log files for signs of a cyber attack. Upon the detection of a possible attack, it bans the originating suspect IP address for a specified amount of time.

    • Install fail2ban.

      # apt-get install fail2ban

    • Configure fail2ban.

      # truthful cat > /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 3600
maxretry = three
[ssh]
maxretry = three
port = 2121

      bantime specifies the ban duration inward seconds. maxretry specifies the threshold for triggering the ban. port specifies the SSH port number.

    • Restart fail2ban.

      # service fail2ban restart

12. Create swap file.

    My VPS hosting invention amongst Digital Ocean gives me 512 MB of RAM in addition to twenty GB inward SSD disk space. While RAM is express inward that configuration, the virtual server has enough of unused disk space. The extra disk infinite tin lavatory live utilized to boost the available virtual memory. Follow the steps below to practise the swap file /var/swap.img.

    # fallocate -l 500M /var/swap.img
# chmod 600 /var/swap.img
# mkswap /var/swap.img
# swapon /var/swap.img
# echo "/var/swap.img none swap sw 0 0" >> /etc/fstab

    Refer to my before post for to a greater extent than details.

13. Set upward SMTP server to redirect root emails.

    You run the lead chances of ignoring of import organization alerts if emails to root are non read regularly. Follow the steps below to forwards all root emails to an e-mail address that yous truly monitor.

    • Configure exim4 to redirect all outbound emails to the Google Gmail SMTP server.

      You ask a Gmail trace of piece of job concern human relationship inward fellowship to purpose Gmail SMTP. Refer to my before post for to a greater extent than details.

    # hostname --fqdn > /etc/mailname
    The /etc/mailname file should incorporate the fully-qualified domain nurture to purpose for outgoing postal service messages. The Sender e-mail address of a message uses this value every bit its domain name.

    # sed -i -e "s/dc_eximconfig_configtype=.*/dc_eximconfig_configtype='smarthost'/" /etc/exim4/update-exim4.conf.conf
smarthost is the configuration type yous want.

    # sed -i -e "s/dc_smarthost=.*/dc_smarthost='smtp.gmail.com::587'/" /etc/exim4/update-exim4.conf.conf
    If yous possess got a non-Gmail SMTP server, supersede smtp.gmail.com amongst the proper domain name.

    # sed -i -e "s/dc_hide_mailname=.*/dc_hide_mailname='false'/" /etc/exim4/update-exim4.conf.conf

    # sed -i -e "s/dc_other_hostnames=.*/dc_other_hostnames=''/" /etc/exim4/update-exim4.conf.conf

    # echo '*.google.com:yourAccount@gmail.com:yourPassword' >> /etc/exim4/passwd.client
    Customize the higher upward amongst your ain Gmail trace of piece of job concern human relationship in addition to password. If yous are non using Gmail, supersede google.com amongst the proper domain name.

    # update-exim4.conf

    # service exim4 restart

    • Redirect root emails to a valid e-mail address.

      Refer to an before post for to a greater extent than details.

    # echo -e 'root: peter\npeter: yourEmailAddress@somedomain.com' >> /etc/aliases
    The higher upward ascendency inserts ii lines into /etc/aliases. The outset trace (root: peter) specifies that all emails to root are forwarded to peter, a novel user nosotros added earlier. The minute trace (peter: yourEmailAddress@somedomain.com) specifies that all emails to peter are redirected to the external e-mail address.

    # newaliases
    Run newaliases to rebuild the e-mail aliases database.

14. Note which essential packages are however uninstalled.

    My yet-to-install packet listing comprises:

    • chkconfig
    • MYSQL
    • Apache
    • PHP5

    You tin lavatory purpose the next ascendency to reveal out if a package, say PHP5, is installed:

    # dpkg -l php5*
dpkg-query: no packages institute matching php5*

15. Install missing packages.

    • chkconfig

      # apt-get install chkconfig

    • MYSQL

      # apt-get install mysql-server mysql-client

      After installing MYSQL, run the mysql_secure_installation plan to tighten upward security.

      # mysql_secure_installation

    • Apache

      # apt-get install apache2

    • PHP5

      # apt-get install php5 php5-mysql php5-gd php5-curl

    For farther details on how to install the higher upward packages, refer to my before post.

After yous seat inward all the difficult move to teach this far, your machine is live on inward a usable state. It is wise (albeit optional) to relieve the electrical current machine state. Digital Ocean allows yous to practise a organization snapshot of your server. You tin lavatory restore the server to that exceptional state at whatever fourth dimension inward the future.

When yous login to the virtual server via SSH, don't forget to purpose the novel user in addition to port number.

$ ssh -p 2121 peter@your.ip.address

Share this post