Hi,
I thought I'd write a quick how-to on getting your Debian Linode up to par. Some of this information is available through the Linode wiki pages, but I thought I'd compile a step-by-step guide for updating Debian, installing the 'essentials', finding your way around the Linode DNS manager, a little fine tuning, and some simple ways to increase your servers security.
# Resynchronize package index from repository and upgrade installed packages.
Code:
apt-get update && apt-get upgrade
# Install build-essential. (gcc/g++/make/dpkg/libs)
Code:
apt-get install build-essential
# Add a normal user, and create a group for people who are allowed to SSH in -- A directive will be added to the sshd_config a little further down.
Code:
adduser <username>
groupadd -g 9000 ssh_allow
usermod -aG ssh_allow,staff <username>
Please note that by default, the OpenSSH package included with Debian has already had TCPwrapping enabled. If you have previously compiled from source and not sure if you've enabled it, you can check by doing this:Code:
strings /usr/sbin/sshd | grep -i hosts_access
If this does not return a result, please follow the steps below to update to the latest OpenSSH release and recompile with TCPwrapping:
Code:
apt-get install zlib1g zlib1g-dev libwrap0 libwrap0-dev libssl-dev && cd /usr/src && wget ftp://mirror.planetunix.net/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz && tar zxvf openssh-5.2p1.tar.gz && cd openssh-5.2p1 && ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-tcp-wrappers && make && make install
==CONTINUE AS NORMAL==
# Edit your sshd_config to deny root logins, and only allow people to connect who is a member of the ssh_allow group.
Code:
nano /etc/ssh/sshd_config
Code:
PermitRootLogin no
AllowGroups ssh_allow
# While we already have the AllowGroups directive in place, it doesn't hurt to take advantage of hosts.deny/allow.
# Deny ALL connections to sshd.
Code:
nano /etc/hosts.deny
Code:
sshd: ALL
# However, allow for these hosts to connect.
Code:
nano /etc/hosts.allow
Code:
sshd: *.yourisp.com
# Restart SSH for the new changes to take effect.
Code:
/etc/init.d/ssh restart
# Renaming your hostname -- Just to add a little personality
Code:
rm -rf /etc/hostname && echo "newhostname" >>/etc/hostname && hostname -F /etc/hostname && echo "127.0.0.1 newhostname" >>/etc/hosts
# Setting permissions on utmp, wtmp, lastlog and changing the ownership so only members of the staff group can view the output of the w, who, last, lastlog commands.
# You might also want to add these to your /etc/rc.local.
Code:
chmod 0640 /var/log/utmp
chmod 0640 /var/log/wtmp
chmod 0640 /var/log/lastlog
chown :staff /var/log/utmp
chown :staff /var/log/wtmp
chown :staff /var/log/lastlog
# Remove world readable permissions of /home.
Code:
chmod -R 0751 /home
# Installing MySQL, Lighttpd, and PHP5.
Code:
apt-get install mysql-client mysql-server lighttpd php5-cgi
# Caker's MySQL tune:
Code:
/etc/init.d/mysql stop && cd /etc/mysql && mv my.cnf my.orig && wget http://www.linode.com/~caker/uml/my.cnf && /etc/init.d/mysql start
# Enabling PHP and Virtual Hostnames in Lighthttpd and,
# Creating the document root for each Virtual Hostname:
Code:
mkdir -p /www/domain1.com
mkdir -p /www/domain2.com
# Create folders for logs to be stored in corresponding domain names, set file permissions for /www and give lighttpd write access to /var/log/lighttpd.
Code:
mkdir /var/log/lighttpd/domain1.com
mkdir /var/log/lighttpd/domain2.com
chown -R username:username /www
chown -R www-data:username /var/log/lighttpd
# Enabling PHP.
Code:
nano +533 /ec/php5/cgi/php.ini
Code:
change "cgi.fix_pathinfo = 0" to "cgi.fix_pathinfo = 1"
# server.modules=
Code:
nano +14 /etc/lighttpd/lighttpd.conf
Code:
add: "mod_fastcgi",
# Add this to the bottom of your config.
Code:
nano +168 /etc/lighttpd/lighttpd.conf
Code:
fastcgi.server = ( ".php" =>
((
"bin-path" => "/usr/bin/php-cgi",
"socket" => "/tmp/php.socket",
"max-procs" => 1,
"idle-timeout" => 20,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "4",
"PHP_FCGI_MAX_REQUESTS" => "10000"
),
"bin-copy-environment" => (
"PATH", "SHELL", "USER"
),
"broken-scriptfilename" => "enable"
))
)
# Configuring the Virtual names:
Code:
nano +155 /etc/lighttpd/lighttpd.conf
# Comment out the original $HTTP[] { } block and add the new blocks for your domains:
Code:
$HTTP["host"] =~ "(^|\.)domain1\.com$" {
server.document-root = "/www/domain1"
server.errorlog = "/var/log/lighttpd/domain1.com/error.log"
accesslog.filename = "/var/log/lighttpd/domain1.com/access.log"
}
$HTTP["host"] =~ "(^|\.)domain2\.com$" {
server.document-root = "/www/domain2"
server.errorlog = "/var/log/lighttpd/domain2.com/error.log"
accesslog.filename = "/var/log/lighttpd/domain2.com/access.log"
}
# Restart Lighthttpd.
Code:
/etc/init.d/lighttpd restart
# Now that you've setup Lighttpd, the only thing left to do is point your domain(s) to your VPS. This can be achieved using the Linode DNS Manager.
Code:
1. Log into your domain registrars control panel (where you registered the domain).
2. You need to edit the name servers of your domain to point to the Linode ones:
NS1.LINODE.COM
NS2.LINODE.COM
NS3.LINODE.COM
NS4.LINODE.COM
3. Save your changes, and log out of your registrar's control panel.
4. Log into https://www.linode.com/members/
5. Click on the "DNS Manager" Tab.
6. Click on the "Add a new domain zone" link (bottom right).
7. Enter your Domain Name.
8. Click continue.
9. Add your email address to the SOA E-Mail field.
10. Click Save.
By default, it will have your domain point to the IP address of your Linode VPS. Wait until your DNS propagates and you're done!
EDIT (a few times
): Fixed spelling errors/typos, and amended a couple of the processes to make them clearer. Thanks for everyone's feedback.
FAQ
Search
Members
Register
Login [ Anonymous ]
Oops typos! 