Linux, VPS, setup, Ubuntu

1. 1 0 S T E P S T O W E L L
C O N F I G U R E D V P S
F O R Y O U R W E B A P P. R U B A C I . C Z M A Y, 2 0 1 4

2. L I N U X D I S T R O
# NEVER
Ubuntu XX.10 # 9 months
!
# Yes
Ubuntu XX.04 LTS # 5 years

3. H O S T I N G
# SSD
DigitalOcean.com
linode.com
!
# AWS - Good for Dynamic Hosting
aws.amazon.com

4. B A S I C U P D AT E
# Update all
sudo apt-get -y update && sudo apt-get -y upgrade
!
# Basic packages
sudo apt-get install build-essential git-core
sudo apt-get install curl
sudo apt-get install python-software-properties

5. N E V E R B E R O O T, N E V E R ! !
# Add deploy user
adduser deploy --ingroup admin
!
# Switch to Deploy user
su deploy
cd # To home directory
!
# Allow deploy to run SUDO
visudo
root ALL=(ALL) ALL
deploy ALL=(ALL) ALL

6. N O PA S S W O R D S P L E A S E !
# SSH with keys
mkdir -p ~/.ssh
touch ~/.ssh/authorized_keys
sudo aptitude install vim
vim ~/.ssh/authorized_keys
!
# OR
cat ~/.ssh/id_rsa.pub | ssh deploy@ip 'cat >> ~/.ssh/authorized_keys'

7. S S H - S E R V E R
# Change port to XXXX
# And turn off Root login and forbid passwords
sudo vim /etc/ssh/sshd_config
>>>>>>>>>>>>
Port 3245
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
AllowUsers deploy@(your-ip) deploy@(another-ip-if-any) # Optional!
<<<<<<<<<<<<
!
# Restart ssh deamon
sudo service ssh restart

8. S S H - C L I E N T
# Generate SSH key
ssh-keygen -t rsa
!
# ~/.ssh/config
Host mojejmeno
HostName mujserver.com # /etc/hosts nebo IP
Port XXXX
User deploy

9. P R E V E N T AT TA C K S
# Firewall
ufw allow 80 # HTTP
ufw allow 443 # HTTPS
ufw enable
!
# SSH
ufw allow from {your-ip} to any port XXXX

10. P R E V E N T AT TA C K S # 2
# Fail2ban is a daemon that monitors login attempts
to a server and blocks suspicious activity as it occurs.
It’s well configured out of the box.
apt-get install fail2ban

11. E N A B L E A U T O M AT I C S E C U R I T Y
U P D AT E S
# Install automatic upgrades
apt-get install unattended-upgrades
vim /etc/apt/apt.conf.d/10periodic
>>>>>>>>
APT::Periodic::Update-Package-Lists “1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade “1";
<<<<<<<<
!
# Setup only security upgrades
vim /etc/apt/apt.conf.d/50unattended-upgrades
>>>>>>>>
Unattended-Upgrade::Allowed-Origins {
"Ubuntu lucid-security";
// "Ubuntu lucid-updates";
};
<<<<<<<<

12. E M A I L N O T I F I C AT I O N
# Install LogWatch
apt-get install logwatch
vim /etc/cron.daily/00logwatch
!
# Setup email notification
/usr/sbin/logwatch --output mail --mailto
ladislav@martincik.com --detail high

13. W H AT N E X T ?
# Troubleshooting
http://devo.ps/blog/2013/03/06/
troubleshooting-5minutes-on-a-yet-unknown-
box.html
!
# Keep Swipe file
Every good dev/ops should have swipe file of the
best work and stuff he did or will repeat.

14. H A P P Y, V P S I N G ! ! !
L A D I S L A V M A R T I N C I K { @ M A R T I N C I K }