hello friends! new(ish)!
Setting up a Server: Difference between revisions
>Toynbeeidea |
>Toynbeeidea No edit summary |
||
Line 1: | Line 1: | ||
[[File:Setting_up_a_Fileserver.jpeg|thumb|The gist of things]] | [[File:Setting_up_a_Fileserver.jpeg|thumb|The gist of things]] | ||
Need to [http://wiki.installgentoo.com/index.php?title=Email#Self_Hosted_Email selfhost] mail? Need a fileserver? Well, here's some advice. We're gonna try to write this like you've never done this shit before. It does, however, assume you have at least some basic [[GNU/Linux]] knowledge. If you don't, you probably aren't ready for this | Need to [http://wiki.installgentoo.com/index.php?title=Email#Self_Hosted_Email selfhost] mail? Need a fileserver? Well, here's some advice. We're gonna try to write this page like you've never done this shit before. It does, however, assume you have at least some basic [[GNU/Linux]] knowledge. If you don't, you probably aren't ready for this. | ||
A lot of this applies to both a physical machine as well as a [[VPS]] setup. | A lot of this applies to both a physical machine as well as a [[VPS]] setup. | ||
Line 22: | Line 22: | ||
faggot ALL=(ALL) ALL | faggot ALL=(ALL) ALL | ||
Install [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html PuTTY], on a different machine than the one you are setting up as the server. This will include PuTTYGen. | Install [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html PuTTY], on a different machine than the one you are setting up as the server. This will include PuTTYGen. PuTTY is [[freedom|free]] software, and is available for Windows and most GNU/Linux distros. | ||
Run PuTTYGen to generate a public/private key pair. Go with SSH-2 DSA, 4096 bits - nobody's gonna crack that shit easily. When done, it will display your public key. Copy and paste that text into a text file, but omit the last bit that says "dsa-key-########". DO NOT PUT IN A PASSPHRASE. Save the private key. | Run PuTTYGen to generate a public/private key pair. Go with SSH-2 DSA, 4096 bits - nobody's gonna crack that shit easily. When done, it will display your public key. Copy and paste that text into a text file, but omit the last bit that says "dsa-key-########". DO NOT PUT IN A PASSPHRASE. Save the private key. | ||
Line 41: | Line 41: | ||
chmod 600 ~/.ssh/authorized keys | chmod 600 ~/.ssh/authorized keys | ||
DO NOT LOG OUT OF PuTTY, but open another connection to your server, only this time point PuTTY to your private key file to test it out. If it all goes well, your login will look something like this: | DO NOT LOG OUT OF PuTTY YET, but open another connection to your server, only this time point PuTTY to your private key file to test it out. If it all goes well, your login will look something like this: | ||
Using username "faggot". | Using username "faggot". | ||
Line 50: | Line 50: | ||
sudo nano /etc/ssh/sshd_config | sudo nano /etc/ssh/sshd_config | ||
You can change the SSH port here to a random number - that's optional though, because bots are gonna find it anyhow. But if you do change it don't forget to change it in PuTTY as well. But DO make the following changes: | You can change the SSH port here to a random number - that's optional though, because hacker bots are gonna find it anyhow. But if you do change it don't forget to change it in PuTTY as well. | ||
But DO make the following changes: | |||
PermitRootLogin no | PermitRootLogin no | ||
Line 74: | Line 76: | ||
Want to use your own email server to avoid the [[NSA]]? Good call! But setting up email servers can be pretty complicated. Assuming you mostly don't know what the hell you are doing, and assuming you're already secured your system per above, have a peek at [http://www.iredmail.org/ iRedMail]. iRedMail is an automated email and web server setup package. It works best if installed on a FRESH system - if you're already fumbled around with Apache and/or dovecot and/or postfix and failed, wipe your shit and start over with iRedMail. It will install and configure Postfix, Dovecot, Apache, and MySQL. It also installs and configures fail2ban and iptables. It includes spam filtering and greylisting. It just works. Its pretty awesome. | Want to use your own email server to avoid the [[NSA]]? Good call! But setting up email servers can be pretty complicated. Assuming you mostly don't know what the hell you are doing, and assuming you're already secured your system per above, have a peek at [http://www.iredmail.org/ iRedMail]. iRedMail is an automated email and web server setup package. It works best if installed on a FRESH system - if you're already fumbled around with Apache and/or dovecot and/or postfix and failed, wipe your shit and start over with iRedMail. It will install and configure Postfix, Dovecot, Apache, and MySQL. It also installs and configures fail2ban and iptables. It includes spam filtering and greylisting. It just works. Its pretty awesome. | ||
You will, however, still need to manually set up SPF and DKIM | You will, however, still need to manually set up DNS records for SPF and DKIM. | ||
[[Category:Tutorials]] | [[Category:Tutorials]] |
Revision as of 16:58, 4 February 2014
Need to selfhost mail? Need a fileserver? Well, here's some advice. We're gonna try to write this page like you've never done this shit before. It does, however, assume you have at least some basic GNU/Linux knowledge. If you don't, you probably aren't ready for this.
A lot of this applies to both a physical machine as well as a VPS setup.
Protecting Your Private Network
Use a DMZ, nigger.
Protecting from DDoS and shit
Use Fail2Ban and perhaps a redundant computer in the DMZ. Also never use passwords, only keyfiles.
Securing your shell
Add a non-root user. Then, while logged in as root, do this:
visudo
Go down to the bit where it says # User privilege specification, and copy the setup for the root line. So, if your non-root user is "faggot," it will look like so:
# User privilege specification root ALL=(ALL) ALL faggot ALL=(ALL) ALL
Install PuTTY, on a different machine than the one you are setting up as the server. This will include PuTTYGen. PuTTY is free software, and is available for Windows and most GNU/Linux distros.
Run PuTTYGen to generate a public/private key pair. Go with SSH-2 DSA, 4096 bits - nobody's gonna crack that shit easily. When done, it will display your public key. Copy and paste that text into a text file, but omit the last bit that says "dsa-key-########". DO NOT PUT IN A PASSPHRASE. Save the private key.
Open PuTTY and log in as your non-root user. Then do this:
mkdir /home/faggot/.ssh nano /home/faggot/.ssh/authorized_keys
Paste your public key that you saved as a text file and paste it in. MAKE SURE IT IS ALL ONE LINE, like so:
ssh-dsa [insanely long string of crap]
And save it.
Now take ownership of it:
chmod 600 ~/.ssh/authorized keys
DO NOT LOG OUT OF PuTTY YET, but open another connection to your server, only this time point PuTTY to your private key file to test it out. If it all goes well, your login will look something like this:
Using username "faggot". Authenticating with public key "dsa-key-########"
Assuming that works, close your previous PuTTY session and do this:
sudo nano /etc/ssh/sshd_config
You can change the SSH port here to a random number - that's optional though, because hacker bots are gonna find it anyhow. But if you do change it don't forget to change it in PuTTY as well.
But DO make the following changes:
PermitRootLogin no PasswordAuthentication no X11Forwarding no UsePAM no
Add the following to the bottom if missing:
UseDNS no AllowUsers faggot
Save these changes and restart your SSH server. On Debian it would be:
/etc/init.d/ssh reload
BOOM. Assuming all went well, you have now set up your shell so that 1) "root" cannot log in, 2) ONLY "faggot" can log in, and 3) "faggot" can ONLY log in using their private key file instead of a password. You'll still want to set up and install fail2ban or similar to secure things further.
Oh, and don't lose that private key file. Back it up somewhere.
Setting Up Email
Want to use your own email server to avoid the NSA? Good call! But setting up email servers can be pretty complicated. Assuming you mostly don't know what the hell you are doing, and assuming you're already secured your system per above, have a peek at iRedMail. iRedMail is an automated email and web server setup package. It works best if installed on a FRESH system - if you're already fumbled around with Apache and/or dovecot and/or postfix and failed, wipe your shit and start over with iRedMail. It will install and configure Postfix, Dovecot, Apache, and MySQL. It also installs and configures fail2ban and iptables. It includes spam filtering and greylisting. It just works. Its pretty awesome.
You will, however, still need to manually set up DNS records for SPF and DKIM.