From 3bf7bb22114744cee98391bf0229ae6a673aeca3 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Mon, 24 Sep 2018 02:57:14 +0200 Subject: [PATCH] Add basic server instructions --- content/en/administration/installation.md | 105 ++++++++++++++++++++-- 1 file changed, 97 insertions(+), 8 deletions(-) diff --git a/content/en/administration/installation.md b/content/en/administration/installation.md index 7bea7bd6..cf29d268 100644 --- a/content/en/administration/installation.md +++ b/content/en/administration/installation.md @@ -5,20 +5,109 @@ menu: parent: administration weight: 1 --- - ## Basic server setup (optional) -If you are setting up a fresh machine, it is recommended that you secure it first: +If you are setting up a fresh machine, it is recommended that you secure it first. Assuming that you are running **Ubuntu 18.04**: -- Do not allow password-based SSH login (keys only) -- Update system packages -- Install fail2ban so it blocks repeated login attempts -- Install a firewall and only whitelist SSH, HTTP and HTTPS ports +### Do not allow password-based SSH login (keys only) + +First make sure you are actually logging in to the server using keys and not via a password, otherwise this will lock you out. Many hosting providers support uploading a public key and automatically set up key-based root login on new machines for you. + +Edit `/etc/ssh/sshd_config` and find `PasswordAuthentication`. Make sure it's uncommented and set to `no`. If you made any changes, restart sshd: + +```sh +systemctl restart ssh +``` + +### Update system packages + +```sh +apt update && apt upgrade -y +``` + +### Install fail2ban so it blocks repeated login attempts + +```sh +apt install fail2ban +``` + +Edit `/etc/fail2ban/jail.local` and put this inside: + +```ini +[DEFAULT] +destemail = your@email.here +sendername = Fail2Ban + +[sshd] +enabled = true +port = 22 + +[sshd-ddos] +enabled = true +port = 22 +``` + +Finally restart fail2ban: + +```sh +systemctl restart fail2ban +``` + +### Install a firewall and only whitelist SSH, HTTP and HTTPS ports + +First, install iptables-persistent. During installation it will ask you if you want to keep current rules--decline. + +```sh +apt install -y iptables-persistent +``` + +Edit `/etc/iptables/rules.v4` and put this inside: + +``` +*filter + +# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 +-A INPUT -i lo -j ACCEPT +-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT + +# Accept all established inbound connections +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Allow all outbound traffic - you can modify this to only allow certain traffic +-A OUTPUT -j ACCEPT + +# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). +-A INPUT -p tcp --dport 80 -j ACCEPT +-A INPUT -p tcp --dport 443 -j ACCEPT + +# Allow SSH connections +# The -dport number should be the same port number you set in sshd_config +-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT + +# Allow ping +-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT + +# Log iptables denied calls +-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 + +# Reject all other inbound - default deny unless explicitly allowed policy +-A INPUT -j REJECT +-A FORWARD -j REJECT + +COMMIT +``` + +With iptables-persistent, that configuration will be loaded at boot time. But since we are not rebooting right now, we need to load it manually for the first time: + +```sh +iptables-restore < /etc/iptables/rules.v4 +``` ## Pre-requisites -- A machine running Ubuntu 18.04 that you have root access to -- A domain name (or a subdomain) for the Mastodon server +- A machine running **Ubuntu 18.04** that you have root access to +- A **domain name** (or a subdomain) for the Mastodon server, e.g. `example.com` +- An e-mail delivery service or other **SMTP server** You will be running the commands as root. If you aren't already root, switch to root: