noah
/
dreckbude-docs-pub
1
0
フォーク 0
コード 課題 0 プルリクエスト 0 リリース 0 Wiki アクティビティ
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
1 コミット
1 ブランチ
22 KiB
 
ツリー: 75b7a85427
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'75b7a85427' から
${ noResults }
dreckbude-docs-pub/01_initial_setup.md

3.2 KiB
Raw Blame 履歴

Dreckbu.de server initial setup

ssh

# as root
adduser noah
usermod -aG sudo noah
  • Copy pub keys to server using ssh-copy-id -i KEY_FILE user@host.
nano /etc/ssh/sshd_config
  • Change PasswordAuthentication yes to PasswordAuthentication no.
systemctl restart sshd

software

apt update && apt upgrade
apt install vim tmux htop zsh
update-alternatives --config editor

firewall

netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995'
apt install iptables-persistent
  • iptables base: vim /etc/iptables.up.rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]

##
# INPUT
##

# Allow localhost
-A INPUT -i lo -j ACCEPT

# Allow established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# INPUT default DROP
-A INPUT -j DROP

##
# DOCKER-USER rules
##

# Allow established connections
-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# SMTP
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

# http
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
# https
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT

# DOCKER-USER default DROP
-A DOCKER-USER -i eth0 -j DROP

COMMIT
  • Modified vim /etc/iptables.up.rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]

##
### INPUT
####
##
### Allow localhost
-A INPUT -i lo -j ACCEPT
##
### Allow established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
##
### Allow ICMP ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
##
### SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
##
### INPUT default DROP
-A INPUT -j DROP
##
####
### DOCKER-USER rules
####
##
### Allow established connections
-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
##
### SMTP
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
### SMTPS
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 465 -j ACCEPT
### Postfix Submission
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 587 -j ACCEPT
### IMAP
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
### IMAPS
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
### POP3
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
### POP3S
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 995 -j ACCEPT
### Dovecot ManageSieve
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 4190 -j ACCEPT
### http
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
### https
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
#
### DOCKER-USER default DROP
-A DOCKER-USER -i eth0 -j DROP
COMMIT

iptables-restore < /etc/iptables.up.rules
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

leave iptables alone, it breaks everything!!!

datetime

timedatectl status

hostname and fqdn

vim /etc/hostname
# replace with srv01
hostname $(cat /etc/hostname)
vim /etc/resolvconf/resolv.conf.d/head
# add domain dreckbu.de at the end
resolvconf -u
hostnamectl set-hostname srv01
vim /etc/hosts
# replace with srv01