Docstoc

Rackspace Cloud Server Setup Process

Document Sample
Rackspace Cloud Server Setup Process Powered By Docstoc
					Rackspace Cloud Server Setup Process
Initial Security Configuration
  1. Log into server as root
  2. Change root password:
     :$passwd
  3. Add admin user:
     :$ adduser <username>
     :$ usermod -a -G sudo <username>
     :$ visudo
        %sudo ALL=(ALL) ALL
  4. Update system
          1. apt-get update
          2. apt-get upgrade
  5. Configure SSH
          1. nano /etc/ssh/sshd_config
                   1. Port <ssh port number>
                   2. Protocol 2
                   3. PermitRootLogin no
                   4. PasswordAuthentication Yes
                   5. X11Forwarding no
                   6. UsePAM no
                   7. UseDNS no
                   8. AllowUsers <username>
          2. /etc/init.d/ssh restart
  6. Configure iptables
          1. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
          2. iptables -A INPUT -p tcp --dport <ssh port number> -j ACCEPT
          3. iptables -A INPUT -p tcp --dport 80 -j ACCEPT
          4. iptables -A INPUT -j DROP
          5. iptables -I INPUT 1 -i lo -j ACCEPT
          6. iptables -L -v (display list of rules)
          7. iptables-save > /etc/iptables.rules
  7. Set iptables rules to apply at boot
          1. nano /etc/network/if-pre-up.d/iptaload
             #!/bin/sh
             iptables-restore < /etc/iptables.rules
             exit 0
          2. nano /etc/network/if-post-down.d/iptasave
             #!/bin/sh
             if [ -f /etc/iptables.downrules ]; then
                iptables-restore < /etc/iptables.downrules
             fi
             iptables-save -c > /etc/iptables.save
             exit 0
          3. chmod +x /etc/network/if-post-down.d/iptasave
          4. chmod +x /etc/network/if-pre-up.d/iptaload
          5. Reboot and run iptables -L to verify successful load
  8. Configuring time, timezones, and time synchronization
           1. sudo dpkg-reconfigure tzdata
                  1. Select correct region and timezone
           2. sudo nano /etc/cron.daily/ntpdate
              ntpdate ntp.ubuntu.com
           3. sudo chmod 755 /etc/cron.daily/ntpdate



Scanning for rootkits
  1.   sudo apt-get install build-essential
  2.   cd ~
  3.   mkdir sources
  4.   cd sources
  5.   wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
  6.   md5sum chkrootkit.tar.gz
            1. Compare result with http://www.reznor.com/tools/chkrootkit.md5
  7.   tar xvfz chkrootkit.tar.gz
  8.   cd chkrootkit-0.49
  9.   make sense
 10.   sudo ./chkrootkit
 11.   sudo crontab -e
            1. 0 3 * * * (cd /home/<username>/sources/chkrootkit-0.49;
               ./chkrootkit 2>&1 | mail -s "chkrootkit output"
               <username>@yahoo.com)
 12.   cd ~/sources
 13.   wget http://cdnetworks-us-2.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.6/
       rkhunter-1.3.6.tar.gz
 14.   tar xvfz rkhunter-1.3.6.tar.gz
 15.   cd rkhunter-1.3.6

  1. sudo ./installer.sh --layout default --install
  2. sudo /usr/local/bin/rkhunter --update
  3. sudo /usr/local/bin/rkhunter -c
  4. sudo /usr/local/bin/rkhunter --propupd
  5. mkdir ~/bin
  6. cd ~/bin
  7. nano rkhunterscript
     #!/bin/sh
     (/usr/local/bin/rkhunter --versioncheck
     /usr/local/bin/rkhunter --update
     /usr/local/bin/rkhunter --cronjob --report-warnings-only
     ) | /usr/bin/mail -s "rkhunter output" <admin email>
  8. chmod 750 rkhunterscript
  9. sudo crontab -e
     30 3 * * * /home/<username>/bin/rkhunterscript -c --cronjob



Install and configure LAMP & Mail
  1. sudo nano /etc/hostname
     <domainname>
 2. sudo nano /etc/hosts
    127.0.0.1 <domainname>
    127.0.0.1 www.<domainname>
 3. sudo apt-get install dnsutils
 4. sudo tasksel
         1. Select LAMP Server and Mail Server
                 1. Mail server host name: <domainname>
                 2. Mail server mode: Internet
 5. sudo nano /etc/postfix/main.cf
         1. myorigin = $mydomain
         2. mydestination = $mydomain, localhost.$mydomain, localhost
         3. mynetworks = 127.0.0.1
 6. cd /var/www
 7. sudo nano info.php
    <?php
    print phpinfo();
    ?>
 8. Reboot server
 9. Go to http://serverip/info.php and verify that the PHP info screen displays
10. Install Webmin
         1. cd ~
         2. wget http://prdownloads.sourceforge.net/webadmin/
             webmin_1.510-2_all.deb
         3. sudo apt-get install libnet-ssleay-perl libauthen-pam-perl libio-
             pty-perl libmd5-perl
         4. sudo apt-get install apt-show-version
         5. sudo apt-get -f install
         6. sudo dpkg -i webmin_1.510-2_all.deb
11. Update Puty configuration to tunnel port 10000 to server:
         1. Open Puty
         2. On Session tab, enter server IP address and port <sshportnumber>
         3. On SSH Tunnels tab:
                 1. Source=10000; Destination=localhost:10000 (for accessing
                     webmin)
                 2. Source=10001; Destination=localhost:10001 (for accessing
                     phpMyAdmin)
         4. On the Session tab, Enter a name and click the save button
         5. Click the Open button and log in to the server
12. Configuring Apache
         1. Enable mod_rewrite
                 1. sudo a2enmod rewrite
         2. Configure Apache for website
                 1. sudo nano /etc/apache2/ports.conf
                         1. Add the following line after "Listen 80"
                            Listen 10001
                 2. sudo nano /etc/apache2/sites-available/default
                         1. Change <VirtualHost *:80> to <VirtualHost *:10001>
                         2. ServerAdmin webmaster@<domainname>
                 3. sudo mkdir /var/www
                 4. sudo mkdir /var/www/<domainname>
                 5. sudo mkdir /var/www/<domainname>/htdocs
                 6. sudo mkdir /var/www/<domainname>/log
                 7. sudo mkdir /var/www/<domainname>/log/apache2
                   8. cd /etc/apache2/sites-available
                   9. sudo cp default <domainname>
                  10. sudo nano <domainname>
                           1. <VirtualHost *:80>
                           2. DocumentRoot /var/www/<domainname>/htdocs
                           3. <Directory /> AllowOverride all
                           4. Remove all other <Directory> blocks
                           5. Remove the ScriptAlias block
                           6. ErrorLog /var/www/<domainname>/log/apache2/error.log
                           7. CustomLog /var/www/<domainname>/log/apache2/
                               access.log
                           8. Remove the Alias /doc/ line and related <Directory> block
                  11. Create a symlink to the above configuration file:
                       sudo ln -s /etc/apache2/sites-available/<domainname> /etc/
                       apache2/sites-enabled/001-<domainname>
                  12. Restart apache: sudo /etc/init.d/apache2 restart
13.   Install phpMyAdmin
          1. sudo apt-get install phpmyadmin
          2. Log into phpMyAdmin as root (http://localhost:10001/phpmyadmin)
                   1. Go to the Privileges tab
                           1. Add a new User
                                    1. username=<username>
                                    2. host=local
                                    3. Password=enter password
                                    4. Database = None
                                    5. Global privileges=Check All
                   2. Log out of phpMyadmin as root and log back in as <username>
14.   Install APC
          1. sudo apt-get install php-pear php5-dev apache2-threaded-dev
          2. sudo pecl install apc
          3. sudo nano /etc/php5/conf.d/apc.ini
               extension=apc.so
               apc.enabled=1
               apc.shm_size=30
          4. sudo /etc/init.d/apache2 restart
          5. sudo ln /usr/share/php/apc.php /var/www/apc.php
          6. sudo nano /usr/share/php/apc.php
               Change the line: defaults('ADMIN_PASSWORD','password'); to be
               defaults('ADMIN_PASSWORD','new admin password');
          1.
15.   Install PECL UploadProgress
          1. sudo pecl install uploadprogress
16.   Configure PHP
          1. cd /etc/php5/apache2/
          2. sudo nano php.ini
                   1. memory_limit = 48M
                   2. log_errors = On
                   3. error_log = syslog
                   4. post_max_size = 12M
                   5. upload_max_filesize = 8M
                   6. apc.rfc1867 = 1 (add after the upload_max_filesize setting)
                   7. extension=uploadprogress.so
17.   Restart apache: sudo /etc/init.d/apache2 restart
18.   Recompile PHP with GD2 support
         1.   sudo apt-get install build-essential debhelper fakeroot
         2.   cd /usr/src
         3.   sudo apt-get source php5
         4.   sudo apt-get build-dep php5
         5.   cd php5-5.2.10.dfsg.1
         6.   sudo nano debian/rules
                   1. Ctrl-W: --with-gd=shared
                   2. Change line to be:
                      --with-gd=shared --enabled-gd-native-ttf \
         7.   sudo dpkg-buildpackage -rfakeroot
         8.   cd ..
         9.   sudo dpkg -i php5-gd_5.2.10.dfsg.1-2ubuntu6.4_i386.deb
        10.   Restart apache: sudo /etc/init.d/apache2 restart




Configure server to automatically apply security updates
  1. sudo apt-get install unattended-upgrades
  2. sudo nano etc/apt/apt.conf.d/50unattended-upgrades
         1. Uncomment the line: unattended-Upgrades::Automatic-reboot and set value
            to "true"
         2. Uncomment the line: Unattended-Upgrade:Mail and set the appropriate
            email address

				
DOCUMENT INFO