This tutorial is a bit of a rehash of slice host tutorial.
What I wanted was my own web server. The cheapest way of getting one without actually paying huge amount of sum is to get a virtual one, instead of a physical one.
I got a friend that uses SliceHost, which I set up Debian 5.0 (Lenny) on, and I googled for rivals so I can compare. Anyway I ended up with Linode, they offer much more ram for the price.
Here's my referral link if you are going to get it: http://www.linode.com/?r=934381863d0fe5c2b59ec57bf5f6e7049fc76d5d or just 934381863d0fe5c2b59ec57bf5f6e7049fc76d5d copy paste this. It'll just give me 20 bucks or about an extra month of hosting.
Here's the setup for my Debian server:
Load Image
So load up the Debian Lenny's image in Linode's manager.
Note: After you're done, you should have set up the root's password.
SSH / Logging into your server
Now you can SSH into your account, if you're using Window download Putty to ssh into your brand new virtual server. Note ssh default port is 22.
An example:
ssh root@123.45.67.123 Enable color console
Let's get some color onto the terminal. The reason for this is it helps distinguish files, folders, and other stuff; very helpful.
Go to your root directory:
cd /root Edit the .bashrc file:
nano .bashrc This is what I add/uncomment:
# ~/.bashrc: executed by bash(1) for non-login shells.
export PS1='\h:\w\$ '
umask 022
PS1='\[\033[0;35m\]\u@\h\[\033[0;33m\] \w\[\033[00m\]: '
# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -l'
alias l='ls $LS_OPTIONS -lA'
# Some more alias to avoid making mistakes:
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
New User with Root power
It's not really a good idea to always use root account. What you should do is create a user with root power.
Let's create an Admin group:
groupadd admin Then let's enable this group to have root power:
visudoNow add under root:
## Allows people in group admin to run all commands
root ALL=(ALL) ALL
admin ALL=(ALL) ALL
Now add a user to be in the admin group:
adduser anthony
Put user anthony into the admin group:
usermod -a -G admin anthony
Good now you can use anthony instead of group all the time. Note: use your own username you don't have to use anthony. I chose anthony because it's my name ^_^.
Now you can use this user instead of root all the time:
su anthony
Note: add color to your new user by changing the .bashrc file which reside in /home/anthony or ~.
SSH config
Edit the ssh config file (I usually use vim or vi editor but the learning curve is high):
sudo nano /etc/ssh/sshd_config
These are the things I've added/changed:
Protocol 2
PermitRootLogin no
PasswordAuthentication no
UseDNS no
AllowUsers demo
I didn't change the port because some applications expect SSH to be port 22. But you can change it if you want.
Firewall aka iptables
Your server have no firewall what so ever right now. I'm worried about the hackers. So let's change that.
Let's see what firewall rules you have right now:
sudo iptables -L
This is what you should see as a clean default debian lenny installation:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Let's create our own firewall rules in a txt file:
sudo mkdir /root/firewall
sudo nano /root/firewall/iptables.current.rules
I created a firewall directory in /root folder because if I ever wanted to add new rules to the firewall, I'll back up the current set of rules, and save it in /root/firewall.
Here's the example rules from slice hosting you can put these rules in your iptables.current.rules:
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
It's up to you want port you want to enable. I usually reject all port unless I state otherwise.
Here's a list of official port: Wiki
Implement the rules:
sudo /sbin/iptables-restore < /etc/iptables.current.rules
Check out your implemented rules:
sudo iptables -L
Make sure everything is correct if not then you can flush it out and start over:
sudo iptables -F
Making the rules persist after a server reboot:
sudo nano /etc/network/if-pre-up.d/iptables
Add these lines:
#!/bin/sh
/sbin/iptables-restore < /root/firewall/iptables.current.rules
Now save the changes and make your script, iptables, an executable:
chmod +x /etc/network/if-pre-up.d/iptables
note: These newly develop rules of yours will not persist if your server is rebooted unless you do the above step.
How to backup current iptables current set of rules:
sudo iptables-save -c > iptables-backup.txt
Change your server's timezone
Easiest way:
sudo dpkg-reconfigure tzdata
Spacebar to select, tab to move to other options, enter is to confirm. Just follow the gui.
Change your server's locale (language)
sudo dpkg-reconfigure locales
For example, I chose en_US.UTF-8 UTF-8.
Domain name
Since I bought the vps I didn't really bought the domain name yet. I went with godaddy.com for the anthonydoan.com address which is about $10.98 (USD). Note there's a lot of craptastic spam they'll throw at you while you try to register and pay for the domain. I dump the cart because of the spam and looked around and came back. Customer service is decent, you don't have to wait for a long time on the phone.
They'll ask you for your server hosting and you'll just supply like so:
ns1.linode.com
ns2.linode.com
ns3.linode.com
.... up to ns6
Using Linode's DNS manager you should be able to put your domain name and set it to master and you're done!
0 comments:
Post a Comment