# Dreckbu.de server initial setup
## ssh
```bash
# as root
adduser noah
usermod -aG sudo noah
```
* Copy pub keys to server using `ssh-copy-id -i KEY_FILE user@host`.
```bash
nano /etc/ssh/sshd_config
```
* Change *PasswordAuthentication yes* to *PasswordAuthentication no*.
```bash
systemctl restart sshd
```

## software
```bash
apt update && apt upgrade
apt install vim tmux htop zsh
update-alternatives --config editor
```

## firewall
```
netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995'
apt install iptables-persistent
```
* iptables base:
`vim /etc/iptables.up.rules`
```
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]

##
# INPUT
##

# Allow localhost
-A INPUT -i lo -j ACCEPT

# Allow established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# INPUT default DROP
-A INPUT -j DROP

##
# DOCKER-USER rules
##

# Allow established connections
-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# SMTP
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

# http
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
# https
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT

# DOCKER-USER default DROP
-A DOCKER-USER -i eth0 -j DROP

COMMIT  
```
* Modified `vim /etc/iptables.up.rules`
```bash
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]

##
### INPUT
####
##
### Allow localhost
-A INPUT -i lo -j ACCEPT
##
### Allow established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
##
### Allow ICMP ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
##
### SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
##
### INPUT default DROP
-A INPUT -j DROP
##
####
### DOCKER-USER rules
####
##
### Allow established connections
-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
##
### SMTP
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
### SMTPS
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 465 -j ACCEPT
### Postfix Submission
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 587 -j ACCEPT
### IMAP
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
### IMAPS
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
### POP3
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
### POP3S
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 995 -j ACCEPT
### Dovecot ManageSieve
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 4190 -j ACCEPT
### http
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
### https
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
#
### DOCKER-USER default DROP
-A DOCKER-USER -i eth0 -j DROP
COMMIT
```

```bash
iptables-restore < /etc/iptables.up.rules
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
```

**leave iptables alone, it breaks everything!!!**

## datetime
```bash
timedatectl status
```

## hostname and fqdn
```bash
vim /etc/hostname
# replace with srv01
hostname $(cat /etc/hostname)
vim /etc/resolvconf/resolv.conf.d/head
# add domain dreckbu.de at the end
resolvconf -u
hostnamectl set-hostname srv01
vim /etc/hosts
# replace with srv01
```