Install and configure techdocs server: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
== Credentials == | |||
For MariaDB, MediaWiki, SAMBA, etc. | |||
See <code>/root/CREDENTIALS.txt</code> (and backups, of course). | |||
== Host OS installation == | == Host OS installation == | ||
| Line 7: | Line 13: | ||
# Allow root access via SSH key | # Allow root access via SSH key | ||
== | == Network security == | ||
The firewall rules (i.e., AWS security group) allow: | The firewall rules (i.e., AWS security group) allow: | ||
| Line 92: | Line 98: | ||
Note that installing certbot adds a cron file, <code>/etc/cron.d/certbot</code>, which regularly attempts certificate renewal | Note that installing certbot adds a cron file, <code>/etc/cron.d/certbot</code>, which regularly attempts certificate renewal | ||
== Secure MariaDB == | |||
root@techdocs:~# '''mysql_secure_installation''' | |||
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB | |||
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! | |||
In order to log into MariaDB to secure it, we'll need the current | |||
password for the root user. If you've just installed MariaDB, and | |||
haven't set the root password yet, you should just press enter here. | |||
Enter current password for root (enter for none): | |||
OK, successfully used password, moving on... | |||
Setting the root password or using the unix_socket ensures that nobody | |||
can log into the MariaDB root user without the proper authorisation. | |||
You already have your root account protected, so you can safely answer 'n'. | |||
Switch to unix_socket authentication [Y/n] | |||
Enabled successfully! | |||
Reloading privilege tables.. | |||
... Success! | |||
You already have your root account protected, so you can safely answer 'n'. | |||
Change the root password? [Y/n] | |||
New password: | |||
Re-enter new password: | |||
Password updated successfully! | |||
Reloading privilege tables.. | |||
... Success! | |||
By default, a MariaDB installation has an anonymous user, allowing anyone | |||
to log into MariaDB without having to have a user account created for | |||
them. This is intended only for testing, and to make the installation | |||
go a bit smoother. You should remove them before moving into a | |||
production environment. | |||
Remove anonymous users? [Y/n] | |||
... Success! | |||
Normally, root should only be allowed to connect from 'localhost'. This | |||
ensures that someone cannot guess at the root password from the network. | |||
Disallow root login remotely? [Y/n] | |||
... Success! | |||
By default, MariaDB comes with a database named 'test' that anyone can | |||
access. This is also intended only for testing, and should be removed | |||
before moving into a production environment. | |||
Remove test database and access to it? [Y/n] | |||
- Dropping test database... | |||
... Success! | |||
- Removing privileges on test database... | |||
... Success! | |||
Reloading the privilege tables will ensure that all changes made so far | |||
will take effect immediately. | |||
Reload privilege tables now? [Y/n] | |||
... Success! | |||
Cleaning up... | |||
All done! If you've completed all of the above steps, your MariaDB | |||
installation should now be secure. | |||
Thanks for using MariaDB! | |||
root@techdocs:~# | |||
Revision as of 14:10, 20 Haziran 2022
Credentials
For MariaDB, MediaWiki, SAMBA, etc.
See /root/CREDENTIALS.txt (and backups, of course).
Host OS installation
- Do minimal Debian Bullseye install
- Disable IPv6 in /etc/default grub
- Install updates and set hostname
- Ensure unattended-upgrades package is installed
- Allow root access via SSH key
Network security
The firewall rules (i.e., AWS security group) allow:
- Ping, SSH and HTTPs from 129.94.0.0/16 and 149.171.0.0/16
- HTTP from anywhere (to allow certbot to renew the Let's Encrypt SSL certificate
- Everything else is blocked
Initial web site setup
root@techdocs:~# apt-get install apache2 mariadb-server php php-mysql libapache2-mod-php php-xml php-mbstring php-apcu php-intl php-gd php-cli samba
Edit /etc/apache2/sites-enabled/000-default.conf and set server name to techdocs.cseunsw.tech
root@techdocs:~# systemctl restart apache2
Install certbot and acquire SSL certificate
root@techdocs:~# apt-get install python3-certbot-apache
root@techdocs:~# systemctl restart apache2
root@techdocs:~# certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): ss@cse.unsw.edu.au - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered. Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: techdocs.cseunsw.tech - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Requesting a certificate for techdocs.cseunsw.tech Performing the following challenges: http-01 challenge for techdocs.cseunsw.tech Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf Enabled Apache rewrite module Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://techdocs.cseunsw.tech - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/techdocs.cseunsw.tech/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/techdocs.cseunsw.tech/privkey.pem Your certificate will expire on 2022-09-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le root@techdocs:~#
Note that installing certbot adds a cron file, /etc/cron.d/certbot, which regularly attempts certificate renewal
Secure MariaDB
root@techdocs:~# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.
You already have your root account protected, so you can safely answer 'n'.
Switch to unix_socket authentication [Y/n]
Enabled successfully!
Reloading privilege tables..
... Success!
You already have your root account protected, so you can safely answer 'n'.
Change the root password? [Y/n]
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n]
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n]
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n]
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
root@techdocs:~#