State: draft
Note: This shall serve as a collection of all relevant commands, so that one might save some time searching the world wide web.
USER and OS: Configure your own user and setup daily OS upgrades.
# Change root pw:
passwd
# add personal user
adduser USERNAME
# add user to sudo group
adduser USERNAME sudo
# install unattended upgrades package...
sudo apt-get update
sudo apt-get install unattended-upgrades
# ... and enable
sudo dpkg-reconfigure --priority=low unattended-upgrades
FIREWALL: Install firewall and setup. You may want to change SSH port. Make sure to first allow ssh (so that you will not be excluded from your own server), allow the new port and once connected successfully, deny ssh.
# see what applications are listening on what ports
ss -tulpn
# install firewall
sudo apt-get install ufw
sudo ufw status
sudo ufw allow ssh
....
Docker (https://docs.docker.com/engine/install/ubuntu/)
# uninstall if present
sudo apt-get remove docker docker-engine docker.io containerd runc
sudo apt-get update
sudo apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common
# add pgp key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
# check fingerptin
sudo apt-key fingerprint 0EBFCD88
# result:
#pub rsa4096 2017-02-22 [SCEA]
# 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88
#uid [ unknown] Docker Release (CE deb) <docker@docker.com>
#sub rsa4096 2017-02-22 [S]
sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
# check
sudo docker run hello-world
Setup a folder which is used for docker mounts, e.g. /data (add user USERNAME to “docker” group.)
# add user tom to group www-data
sudo adduser USERNAME www-data
# make current user and group own given folder
sudo chown -R "$USER":www-data /var/www
# set permissions somehow
sudo chmod -R 0755 /var/www
# make it so, that all children folder created will have same user and group (or something like it)
sudo chmod g+s /var/www
? FIREWALL + DOCKER: When running a container and exposing a port, docker bypasses rules set by ufw. Docker directly maniupluates the iptables. IMO, it is just crazy, but it is how it is.
Solution: https://github.com/chaifeng/ufw-docker
NGINX and CERTBOT:
sudo apt-get install nginx
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx fail2ban
Configure your first Service:
# reverse proxy basic config
# Note 1: after creating this file in /etc/nginx/sites-available link it into sites-enabled:
# `sudo ln -s /etc/nginx/sites-available/suby.subx.domain.tld /etc/nginx/sites-enabled/suby.subx.domain.tld
# Note 2: after changing nginx, make sure to reload nginx config via: `sudo nginx -s reload`
# Note 3: add the new site to certbot via:
# `sudo certbot --nginx -d subx.domain.tld -d suby.subx.domain.tld --register-unsafely-without-email`
upstream NEWAPP { # <----- change this line
server 127.0.0.1:33XYZ; # <----- change this line
}
server {
server_name NEWAPP.server.*; # <----- change this line
# set to 0 for unlimited. Default is 1M.
client_max_body_size 0;
location / {
proxy_pass http://NEWAPP/; # <----- change this line
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_redirect off;
proxy_read_timeout 86400;
add_header Front-End-Https on;
}
}
Enable Service via certbot (see comment above)
Enable fail2ban… ToDo
Enable Logwatch (weekly log report)
Manage services with docker-compose (see post)
Sources: