Categories
Server

Setup your Linux Server

State: draft

Note: This shall serve as a collection of all relevant commands, so that one might save some time searching the world wide web.

USER and OS: Configure your own user and setup daily OS upgrades.

# Change root pw:
passwd
# add personal user 
adduser USERNAME
# add user to sudo group
adduser USERNAME sudo
# install unattended upgrades package...
sudo apt-get update
sudo apt-get install unattended-upgrades
# ... and enable
sudo dpkg-reconfigure --priority=low unattended-upgrades

FIREWALL: Install firewall and setup. You may want to change SSH port. Make sure to first allow ssh (so that you will not be excluded from your own server), allow the new port and once connected successfully, deny ssh.

# see what applications are listening on what ports
ss -tulpn
# install firewall
sudo apt-get install ufw
sudo ufw status
sudo ufw allow ssh
....

Docker (https://docs.docker.com/engine/install/ubuntu/)

# uninstall if present
sudo apt-get remove docker docker-engine docker.io containerd runc

sudo apt-get update

sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common
    
# add pgp key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

# check fingerptin
sudo apt-key fingerprint 0EBFCD88
# result:
#pub   rsa4096 2017-02-22 [SCEA]
#      9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88
#uid           [ unknown] Docker Release (CE deb) <docker@docker.com>
#sub   rsa4096 2017-02-22 [S]

sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"
   
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io

# check
sudo docker run hello-world

Setup a folder which is used for docker mounts, e.g. /data (add user USERNAME to “docker” group.)

# add user tom to group www-data
sudo adduser USERNAME www-data

# make current user and group own given folder
sudo chown -R "$USER":www-data /var/www

# set permissions somehow
sudo chmod -R 0755 /var/www

# make it so, that all children folder created will have same user and group (or something like it)
sudo chmod g+s /var/www

? FIREWALL + DOCKER: When running a container and exposing a port, docker bypasses rules set by ufw. Docker directly maniupluates the iptables. IMO, it is just crazy, but it is how it is.

Solution: https://github.com/chaifeng/ufw-docker

NGINX and CERTBOT:

sudo apt-get install nginx
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx fail2ban

Configure your first Service:

# reverse proxy basic config
# Note 1: after creating this file in /etc/nginx/sites-available link it into sites-enabled:
#  `sudo ln -s /etc/nginx/sites-available/suby.subx.domain.tld /etc/nginx/sites-enabled/suby.subx.domain.tld
# Note 2: after changing nginx, make sure to reload nginx config via: `sudo nginx -s reload`
# Note 3: add the new site to certbot via: 
#  `sudo certbot --nginx -d subx.domain.tld -d suby.subx.domain.tld --register-unsafely-without-email`


upstream NEWAPP {                              # <----- change this line
      server 127.0.0.1:33XYZ;                  # <----- change this line
}

server {
        server_name NEWAPP.server.*;          # <----- change this line
        
        # set to 0 for unlimited. Default is 1M.
        client_max_body_size 0;

        location / {
                proxy_pass http://NEWAPP/;    # <----- change this line
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
		        proxy_set_header Connection "Upgrade";
                proxy_redirect off;
                proxy_read_timeout 86400;
                add_header   Front-End-Https   on;
        }
}

Enable Service via certbot (see comment above)

Enable fail2ban… ToDo

Enable Logwatch (weekly log report)

Manage services with docker-compose (see post)

Sources:

Leave a Reply

Your email address will not be published. Required fields are marked *