zelo72
/
documentation
mirror of https://github.com/mastodon/documentation
1
0
Fork 0
Code Issues 6 Releases Wiki Activity
documentation/content/en/admin/prerequisites.md

148 lines
4.0 KiB
Markdown
Raw Normal View History

Update documentation with contents by twrnh
2020-01-01 22:37:59 +01:00
---
title: Preparing your machine
menu:
docs:
weight: 10
parent: admin
---
Update Ubuntu version, add missing commands (#944)
2022-05-14 20:14:24 +02:00
If you are setting up a fresh machine, it is recommended that you secure it first. Assuming that you are running **Ubuntu 20.04**:
Update documentation with contents by twrnh
2020-01-01 22:37:59 +01:00
Update content for 4.0 (part 1) (#991) * add rules * join date on profiles * deprecate follow scope * deprecate identity proofs * familiar followers * use definition lists instead of tables for defining activitypub properties * reformat notifications page into markdown * fix broken links to publicKey header * Application website is now nullable * update environment variables added and removed * fix typo * fix heading level * min_id and max_id can be used at the same time (3.3) * fix typo * new tootctl options * reformat tootctl page to use definition lists for params * add rules and configuration to Instance * fix typo * refactor instance api page * 3.3.0 duration on mutes * 3.3.0 mute_expires_at * improve section headings * 3.4.0 resend email confirmation api * 3.4.0 policy on push subscriptions * 3.4.0 add details to account registration error * refactor accounts api page and start adding relrefs to entity pages * 3.4.0 accounts/lookup api * add see also to accounts methods * add more see-also links * 3.5.0 appeal mod decisions * 3.5.0 reformat reports and add category/rule_ids params * document report entity and missing responses * fix typos * fix relrefs and url schema, add aliases to old urls * add archetypes for new methods/entities * update archetypes with see-also stubs * clearer presentation of rate limits * announcements api methods * refactor apps methods * refactor bookmarks methods + some anchors * refactor conversations methods * custom_emojis methods refactor * anchors * refactor directory methods * refactor domain_blocks methods * add see also to emails methods * fix page relref shortcodes to specific methods + refactor endorsements methods * min_id max_id * refactor favourites methods * refactor featured_tags methods * refactor filters methods, make path params consistent, i18n required shortcode * follow_requests methods * lists methods * markers methods * forgot to add entity links * media methods, also fix formatting of some json errors * mutes methods, add more see-also links * oembed methods * preferences methods * proofs methods * push methods * suggestions methods * 3.5.0 add new trend types, fix formatting * refactor streaming methods * refactor oauth methods * note that streaming api casts payload to string * refactor search methods * refactor polls methods * remove unnecessary link * reformat scheduled_statuses methods * reformat timelines methods * reformat statuses methods * 3.5.0 editing statuses * consistent use of array brackets in form data parameters * update dev setup guide, add vagrant and clean up text * add admin/accounts methods * 3.6 role entity * admin/accounts methods v2 * minor fix * stub admin/reports methods * document admin reports * add 403 example to methods archetype * cleanup entities for admin reports and add new attrs * 3.6.0 domain allows methods + normalize admin entity namespace * fix search-and-replace error * add aliases for admin entities * 3.6.0 canonical email blocks entity * 3.5.0 admin/retention api * 3.5.0 add admin::ip doc * 3.5.0 admin/reports * 3.6.0 admin/domain_allows * 3.5.0 admin/dimensions * 3.6.0 permissions and roles * minor formatting fix * add anchor link to headings * checkpoint * add update commands to dev env setup guide * change mentions of v3.6 to v4.0 * tootctl now uses custom roles * fix formatting * v2 instance api * update frontmatter, add better titles to pages * minor wording change * consistency * add more aliases * add placeholders and WIP notices * explain link pagination and stub out todos * switch baseURL to https * 422 on reports with rules but category!=violation * document bug fixes * fix typo * remove duplicate API method definition * s/tootsuite/mastodon for github links * remove unnecessary escaping * s/tootsuite/mastodon in Entity archetype * add missing nullable shortcode * clarify oauth scope when requesting a user token * api/v2/media now synchronous for images * DISALLOW_UNAUTHENTICATED_API_ACCESS * add undocumented env variables * add instance domain blocks and extended description api * add SMTP_ENABLE_STARTTLS * add description to SMTP_ENABLE_STARTTLS * take suggestions from open PRs * normalize links and flavour language * Fully document streaming API based on source code * Add mention of MIME types * bump to ruby 3.0.4 * clarify how to check on async media processing * validation of replies_policy * remove TODOs on admin account action * EmailDomainBlocks * IpBlocks * Admin::DomainBlock * remove TODOs * following hashtags * followed_tags * remove reference to unused parameter * add new oauth scopes for admin blocks and allows * fix command signature for i18n-tasks normalize * reformat code structure page * document fixes for following tags (assume 4.0.3) * Add warning about pre-4.0 hardcoded roles * add note about case sensitivity * remove use of 'simply' from docs * remove reference to silencing * add reference to IDN normalization for verified links * add lang parameter
2022-11-20 07:34:38 +01:00
## Do not allow password-based SSH login (keys only)
Update documentation with contents by twrnh
2020-01-01 22:37:59 +01:00
First make sure you are actually logging in to the server using keys and not via a password, otherwise this will lock you out. Many hosting providers support uploading a public key and automatically set up key-based root login on new machines for you.
Edit `/etc/ssh/sshd_config` and find `PasswordAuthentication`. Make sure its uncommented and set to `no`. If you made any changes, restart sshd:
Update Ubuntu version, add missing commands (#944)
2022-05-14 20:14:24 +02:00
```bash
systemctl restart ssh.service
```
Update documentation with contents by twrnh
2020-01-01 22:37:59 +01:00
## Update system packages
```bash
apt update && apt upgrade -y
```
## Install fail2ban so it blocks repeated login attempts
Update Ubuntu version, add missing commands (#944)
2022-05-14 20:14:24 +02:00
First, install fail2ban:
```bash
apt install fail2ban
```
Update documentation with contents by twrnh
2020-01-01 22:37:59 +01:00
Edit `/etc/fail2ban/jail.local` and put this inside:
```text
[DEFAULT]
destemail = your@email.here
sendername = Fail2Ban
[sshd]
enabled = true
port = 22
[sshd-ddos]
enabled = true
port = 22
```
Finally restart fail2ban:
```bash
systemctl restart fail2ban
```
Use more inclusive language. (#971)
2022-11-05 03:39:59 +01:00
## Install a firewall and only allow SSH, HTTP and HTTPS ports
Update documentation with contents by twrnh
2020-01-01 22:37:59 +01:00
First, install iptables-persistent. During installation it will ask you if you want to keep current rulesdecline.
```bash
apt install -y iptables-persistent
```
Edit `/etc/iptables/rules.v4` and put this inside:
```text
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
# The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
Update content for 4.0, part 2 (#1060) * fix relrefs around trends and related entities * revert moving caption-links to middle of page * hide empty menu in table of contents * clarify edit notifs are only for boosted statuses * following/followers no longer need auth * fix typo * specify cooldown period for account Move * use the correct cooldown * add missing parameters to accounts/id/statuses * link to account_statuses_filter.rb * fix typo (#1072) * fix typo (#1073) * fix link to http sig spec (#1067) * simply HTTP request examples in api methods docs * add missing client_secret to oauth/token (#1062) * Add any, all, none to hashtag timeline * minor formatting changes * Update signature requirements and advice * fix public key -> private key * clarify use of RSA with SHA256 * Add note about saving your profile after adding rel-me link * v2 filters api * comment out params that shouldn't be used in v2 filter api * admin trends * remove old todo * canonical email blocks + scheduled statuses * remove under-construction warnings from finished pages * verify api method params with source code * fix typo (#1088) * fix broken caption-links (#1100) * fix formatting of entities (#1094) * Remove keybase section from user guide (#1093) * fix typos (#1092) * Verify limits are accurate (#1086) * add mention of iframe limitation (#1084) * Add CORS header to WEB_DOMAIN example (#1083) * Fix typo (#1081) * pin http sigs spec at draft 8 * Revert "pin http sigs spec at draft 8" This reverts commit 9fd5f7032b69b29e77599dd62adfe8d2f5cd4f20. * add case sensitivity warning to 4.0 roles * Add url length note to bio (#1087) * remove follow scope from examples (#1103) * clarify usage of update_credentials to update profile fields * add noindex to Account entitity * remove required hint from technically not required property
2022-12-14 22:55:30 +01:00
# Allow destination unreachable messages, especially code 4 (fragmentation required) is required or PMTUD breaks
Update firewall examples to fix PMTUD issues (#998) According to RFC2979 Section 3.1.1 incoming ICMP Destination Unreachable / Fragmentation Needed errors MUST NOT be blocked.
2022-11-20 07:44:19 +01:00
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
Update documentation with contents by twrnh
2020-01-01 22:37:59 +01:00
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
```
With iptables-persistent, that configuration will be loaded at boot time. But since we are not rebooting right now, we need to load it manually for the first time:
```bash
iptables-restore < /etc/iptables/rules.v4
```
Added iptables-configuration for IPv6 (#1004) The configuration is basically the same as with IPv4, but with some minor changes to make them work in IPv6. Is it perfect? Probably not. But it's better than nothing.
2022-11-20 07:37:12 +01:00
If your server is also reachable over IPv6, edit `/etc/iptables/rules.v6` and add this inside:
```text
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d ::1/128 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
# The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmpv6 -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
```
Update content for 4.0, part 2 (#1060) * fix relrefs around trends and related entities * revert moving caption-links to middle of page * hide empty menu in table of contents * clarify edit notifs are only for boosted statuses * following/followers no longer need auth * fix typo * specify cooldown period for account Move * use the correct cooldown * add missing parameters to accounts/id/statuses * link to account_statuses_filter.rb * fix typo (#1072) * fix typo (#1073) * fix link to http sig spec (#1067) * simply HTTP request examples in api methods docs * add missing client_secret to oauth/token (#1062) * Add any, all, none to hashtag timeline * minor formatting changes * Update signature requirements and advice * fix public key -> private key * clarify use of RSA with SHA256 * Add note about saving your profile after adding rel-me link * v2 filters api * comment out params that shouldn't be used in v2 filter api * admin trends * remove old todo * canonical email blocks + scheduled statuses * remove under-construction warnings from finished pages * verify api method params with source code * fix typo (#1088) * fix broken caption-links (#1100) * fix formatting of entities (#1094) * Remove keybase section from user guide (#1093) * fix typos (#1092) * Verify limits are accurate (#1086) * add mention of iframe limitation (#1084) * Add CORS header to WEB_DOMAIN example (#1083) * Fix typo (#1081) * pin http sigs spec at draft 8 * Revert "pin http sigs spec at draft 8" This reverts commit 9fd5f7032b69b29e77599dd62adfe8d2f5cd4f20. * add case sensitivity warning to 4.0 roles * Add url length note to bio (#1087) * remove follow scope from examples (#1103) * clarify usage of update_credentials to update profile fields * add noindex to Account entitity * remove required hint from technically not required property
2022-12-14 22:55:30 +01:00
Similar to the IPv4 rules, you can load it manually like this:
Added iptables-configuration for IPv6 (#1004) The configuration is basically the same as with IPv4, but with some minor changes to make them work in IPv6. Is it perfect? Probably not. But it's better than nothing.
2022-11-20 07:37:12 +01:00
```bash
ip6tables-restore < /etc/iptables/rules.v6
```