Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
branch: master
Fetching contributors…

Cannot retrieve contributors at this time

396 lines (284 sloc) 8.164 kB

Install Debian 6 server on Rackspace

Install some defaults

# apt-get install curl less git
# update-alternatives --set pager /bin/less
# update-alternatives --set editor /usr/bin/vim.tiny

Add default users

You will be asked for passwords, and various optional informations

# adduser damo
# adduser www

Configure sudo and su

# visudo

Content of the file should be

root    ALL=(ALL) ALL
damo    ALL=(ALL) ALL
%sudo   ALL=NOPASSWD: ALL

Save, and exit, then do the following

# addgroup wheel
# usermod -a -G wheel root
# usermod -a -G sudo damo
# vi /etc/pam.d/su

It should have the following line enabled:

auth       required   pam_wheel.so group=wheel

Configure ssh

Reference

# vi /etc/ssh/sshd_config

Make sure it has the following configuration

Port 7077
PermitRootLogin no
AllowUsers damo www
PasswordAuthentication no
AuthorizedKeysFile      %h/.ssh/authorized_keys

Add a password protected ssh key for damo user

(on your local machine, assuming you have pbcopy, otherwise just copy manually)

$ cd ~/.ssh
$ ssh-keygen -f somanyfeeds-admin
yourpassword<enter>
yourpassword<enter>
$ cat ~/.ssh/somanyfeeds-admin.pub | pbcopy

(on remote machine)
paste the public key in /home/damo/.ssh/authorized_keys

Add a basic ssh_key for www user

(on your local machine, assuming you have pbcopy, otherwise just copy manually)

$ cd ~/.ssh
$ ssh-keygen -f somanyfeeds-www
<enter>
<enter>
$ cat ~/.ssh/somanyfeeds-www.pub | pbcopy

(on remote machine)
paste the public key in /home/www/.ssh/authorized_keys

Local ssh configuration

$ vi ~/.ssh/config

Add the following to the file

Host somanyfeeds-www
  Hostname     184.106.113.138
  Port         2022
  User         www
  HostKeyAlias somanyfeeds
  IdentityFile ~/.ssh/somanyfeeds-www

Host somanyfeeds-admin
  Hostname     184.106.113.138
  Port         2022
  User         damo
  HostKeyAlias somanyfeeds
  IdentityFile ~/.ssh/somanyfeeds-admin

Restart ssh

Double check your config, because if you have broken it you won’t be able to ssh back in.

# /etc/init.d/ssh restart

Configure IPtables

The goal is to have a whitelist of authorised services
Just add the services you want: SSH, HTTP

# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p tcp --dport 2022 -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Make sure the rules are catching the traffic.
Try and connect to each of those, then check the traffic with:

# iptables -L -v

If those rules suit you, you should now drop all other traffic.
Really make sure it works well before doing that…
or you won’t be able to access your server, at all.

# iptables -P INPUT DROP

Now to save the configuration and automatically load it on startup:

# iptables-save > /etc/iptables.rules

Setup restoring script

# cd /etc/network/if-pre-up.d
# touch iptables
# chown root:root iptables
# chmod u+x iptables
# vi iptables

Add the following to the script

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.rules

You should be all set!

Install updates

The following will set Debian to choose stable packages by default

# echo "APT::Default-Release \"stable\";" > /etc/apt/apt.conf.d/10stable
# vi /etc/apt/sources.list

The following will allow us to have testing sources as well

deb http://http.us.debian.org/debian/ squeeze main contrib non-free
deb-src http://http.us.debian.org/debian/ squeeze main contrib non-free

deb http://http.us.debian.org/debian/ wheezy main contrib non-free
deb-src http://http.us.debian.org/debian/ wheezy main contrib non-free

deb http://security.debian.org/ squeeze/updates main contrib
deb-src http://security.debian.org/ squeeze/updates main contrib
# apt-get update
# apt-get upgrade

If the server is not able to connect for apt-get update, you can temporarily open iptables during the installation process…
I haven’t found the exact rules to add for apt-get. Contact me if you have more info!

# iptables -P INPUT ACCEPT

Install fail2ban

# apt-get install fail2ban
# /etc/init.d/fail2ban start

Install varnish HTTP accelerator

To use the varnish-cache.org repository and install varnish, do the following:

# curl http://repo.varnish-cache.org/debian/GPG-key.txt | apt-key add -
# echo "deb http://repo.varnish-cache.org/debian/ squeeze varnish-3.0" >> /etc/apt/sources.list.d/varnish.list
# apt-get update
# apt-get install varnish

Configure to listen on port 80 and redirect to port 8080 on page miss

Install Nginx

# apt-get -t testing install nginx

When you configure your server, make sure it listens on port 8080

Install rvm, and ruby 1.9.2

SSH as damo

damo@somanyfeeds$ sudo apt-get install build-essential bison libreadline6-dev git-core zlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 autoconf ncurses-dev
damo@somanyfeeds$ sudo apt-get install -t testing libxml2-dev libxslt-dev

SSH as www

www@somanyfeeds$ bash < <(curl -s https://rvm.beginrescueend.com/install/rvm) 
www@somanyfeeds$ echo '[[ -s "$HOME/.rvm/scripts/rvm" ]] && . "$HOME/.rvm/scripts/rvm" # Load RVM function' >> ~/.profile

Logout and log back in

www@somanyfeeds$ rvm install 1.9.2

Install MongoDB

# apt-key adv --keyserver keyserver.ubuntu.com --recv 7F0CEB10
# echo "deb http://downloads-distro.mongodb.org/repo/debian-sysvinit dist 10gen" >> /etc/apt/sources.list.d/mongodb.list
# apt-get install mongodb-10gen

Install RabbitMQ

TODO

Install Memcached

# apt-get install memcached

Install Monit

# apt-get install monit

Then add the various servers you want to monitor.
The configurations below could probably be fine tuned to:

  • check for memory usage
  • check for cpu usage
  • check the server actually responds

Varnish monit configuration

Create file /etc/monit/conf.d/varnish

check process varnish with pidfile /var/run/varnishd.pid
  start program = "/etc/init.d/varnish start"
  stop program  = "/etc/init.d/varnish stop"
  group server

Nginx monit configuration

Create file /etc/monit/conf.d/nginx

check process nginx with pidfile /var/run/nginx.pid
  start program = "/etc/init.d/nginx start"
  stop program  = "/etc/init.d/nginx stop"
  group server

MongoDB monit configuration

Create file /etc/monit/conf.d/mongodb

check process mysql with pidfile /var/run/mongodb.pid
  start program = "/etc/init.d/mongodb start"
  stop program  = "/etc/init.d/mongodb stop"
  group server

RabbitMQ monit configuration

TODO

Memcached monit configuration

Create file /etc/monit/conf.d/memcached

check process memcached with pidfile /var/run/memcached.pid
  start program = "/etc/init.d/memcached start"
  stop program  = "/etc/init.d/memcached stop"
  group server

Finish the configuration

In /etc/default/monit set

startup=1

Then do the following

# /etc/init.d/monit restart

Configuring servers to launch at startup

# apt-get install rcconf
# rcconf

Configuring log rotation

Add the file /etc/logrotate.d/somanyfeeds
Add a configuration for each log file, for example:

/home/www/somanyfeeds.com/shared/log/nginx.access.log {
        weekly
        rotate 5
        create 640 www www
}
/home/www/somanyfeeds.com/shared/log/unicorn.stdout.log {
        weekly
        rotate 5
        create 640 www www
}
/home/www/somanyfeeds.com/shared/log/unicorn.stderr.log {
        weekly
        rotate 5
        create 640 www www
}

Ensure your default iptables policy is back to normal

# iptables -P INPUT DROP
# iptables-save > /etc/iptables.rules
Jump to Line
Something went wrong with that request. Please try again.