this is taken from here:
https://github.com/al3x/sovereign
and I want to play with ansible on my other server (the .eu domain) but this will be my private server where things are (of course) different.
UPDATE 7/2014: added webmail and roundcube and owncloud plugin
NEEDS: backup scripts / dumps
– create a VM with basic specs for Ubuntu
– set up 12.04 LTS with 64bit flavor >> UPDATE: 14.04 LTS is out – mail server is on 14, rest stays on 12 for now…
– chose for LVM and encrypted home directory during install
– install VMware tools / xen tools > or stick to KVM
– allow SSH on the firewall
dont’ forget IPv6 for the rules or use UFW
#ufw allow ssh
#ufw limit ssh/tcp < -- is this actually useful in combination with fail2ban?
check /etc/ssh/sshd_conf if it uses PAM - we can plug in the 2-factor-authenticator, then :)
– mosh – useful
apt-get install mosh
open ports correspondingly
#ufw allow proto udp from any to any port 60000:60010
this allows for mosh instead of ssh to your server which helps with lag/latency
– htop – interactive “top”
http://hisham.hm/htop/
– fail2ban – block connection attempts
apt-get install fail2ban
edit /etc/fail2ban/fail2ban.conf
and edit
/etc/fail2ban/jail.conf
or better: create a jail.local (it overrules the jail.conf)
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
here check for the following:
separate whitelisted hosts/subnets/cidr blocks using space under ‘ignoreip’
also, set up your mta and receipient address under destemail
bantime and maxretry can be adjusted
backend can be auto
edit /etc/fail2ban/jail.local
and apply the banactions for UFW as we are not using iptables directly (we suck!)
[ssh]
enabled = true
banaction = ufw-ssh
port = 2992
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
[apache]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-auth
logpath = /var/log/apache*/error*.log
maxretry = 4
[apache-filenotfound]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-nohome
logpath = /var/log/apache*/error*.log
maxretry = 3
[apache-noscript]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-noscript
logpath = /var/log/apache*/error*.log
maxretry = 6
[apache-overflows]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-overflows
logpath = /var/log/apache*/error*.log
maxretry = 2
create /etc/fail2ban/action.d/ufw-ssh.conf:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from
actionunban = ufw delete deny from
and /etc/fail2ban/action.d/ufw-apache.conf:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 2 deny from
actionunban = ufw delete deny from
DISCUSS: IPv6 – hack a little 64 gateway or block SSH for IPv6 (which would be silly…)
restart ufw and fail2ban to activate:
andreas@telecity:~$ sudo service fail2ban restart
* Restarting authentication failure monitor fail2ban [ OK ]
andreas@telecity:~$ sudo service ufw restart
ufw stop/waiting
ufw start/running
check status (default only SSH is enabled)
andreas@telecity:~# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh
root@telecity:~#
it works! UFW injects a deny statement for every host that tries to bruteforce
tail -f /var/log/fail2ban.log
2014-07-19 11:24:49,201 fail2ban.actions: WARNING [ssh] Ban 116.10.191.163
$ sudo ufw status
Status: active
To Action From
— —— —-
OpenSSH DENY 116.10.191.163
– install build-essential, openssl and libssl-dev to be able to create a wildcard certificate (self-signed) and other stuff we have to build from scratch
– owncloud – via owncloud.com
install according to manual there (#apt-get install owncloud)
admin docs: http://doc.owncloud.com/
modify your webserver to allow owncloud to do its magic:
#chown -R www-data:www-data /path/to/your/owncloud/apps
#chown -R www-data:www-data /path/to/your/owncloud/data
#chown -R www-data:www-data /path/to/your/owncloud/config
set ‘AllowOverride All’ in the /var/www/ section of apache2 config file
(/etc/apache2/sites-available/default)
#a2enmod rewrite
#a2enmod headers
then restart apache
#service apache2 restart
open firewall ports: ufw enable http(s)
then point browser to https://[your server’s URL]/owncloud
if you want to install into mysql chose “advanced” – otherwise just go with sqlite and create an admin user
you are done!
go admin > create a group and some users
set up the client (owncloud-client) and point it to your server’s URL (use https and a full path)
create folders > they will be synced by owncloud and to your server
other features:
use cardDAV/calDAV
sync music (amaroK/tomahawk)
plugins (roundcube, large files, mobile interface, etc…)
once it works, why not make it secure and install SSL:
– create a self-signed SSL certificate (for web and mail server) or buy one ;)
https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html
and install them
# cp server.crt /etc/ssl/certs
# cp server.key /etc/ssl/private
adjust apache2 config to enable SSL:
edit sites-available/default-ssl
enable “AllowOverride All” for all /var/www instances as before
check ‘SSLEngine On’ is there
add the two certificates to it instead of the “snakeoil” cert
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
enable the engine with
#a2ensite default-ssl
and restart server
#service apache2
and check if your browser accepts the cert :)
hints to make SSL more secure from phra.gs
https://phra.gs/blob/2014-02-14-apachessl.html
now get connected using owncloud client using the username/password you set as admin
NOTE: every time you update the owncloud binaries you need to go to the website once to apply the update!
– quassel
http://bugs.quassel-irc.org/projects/quassel-irc/wiki
apt-get install quassel-core
for the server
open port 4242 on your firewall/iptables
and use quassel-client for the client
there is quasseldroid and iQuassel for mobile clients
it doesn’t use SSL by default – so stop the service and launch quasselcore manually
it will show you where it wants the config files and SSL certs
then create the cert as indicated here:
http://bugs.quassel-irc.org/projects/quassel-irc/wiki/Client-Core_SSL_support
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout ~/.config/quassel-irc.org/quasselCert.pem -out ~/.config/quassel-irc.org/quasselCert.pem
connect to your server for the first time and a welcome dialog will appear
set up the first user (who will be an admin)
and then go play :) (and chat from anywhere)
useful for irssi integration:
https://github.com/phhusson/quassel-irssi
mmarley has a more recent repository on launchpad – use it if you want to use 0.10 and not 0.8
gallery2:
simple: apt-get install gallery2
install mysql-server and set up the database (Remember the user/pass)
http://codex.galleryproject.org/Gallery2:Installation_on_Debian
then run the webinstaller and do the rest
http://yourdomain/gallery2
edit /etc/php5/apache2/php.ini and raise the file limits if you want /need
add a seedbox? transmission-bt !
http://filesharefreak.com/2012/05/10/seedbox-from-scratch-new-server-to-seeding-in-less-than-5-minutes
although that is something for my raspi at home / openelec style
install transmission-daemon – set up config and password
apt-get install transmission-daemon
nano /etc/transmission-daemon/settings.json
and open firewall for the tcp ports – done :)
– diaspora
https://wiki.diasporafoundation.org/Installation/Ubuntu/Precise
seems I need a “valid” SSL cert and a dedicated webserver – so I will do that virtually instead or from home or not at all.
– XMPP
apt-get install prosody
configure as per example / global settings and add an admin user there
create some keys:
openssl req -new -x509 -days 1000 -nodes -out “/etc/ssl/certs/xxxxxxxx.crt” -newkey rsa:4096 -keyout “/etc/ssl/private/xxxxxxxx.key”
under your server add the certs
ssl = {
/path/to,,,
and create symlinks
test the keys:
sudo chmod 600 /path/to/certificate.key
sudo chown prosody:prosody /path/to/certificate.key
Prosody should also be able to read the parent directories of the file.
To test that only Prosody can read the file:
sudo -u prosody cat /path/to/certificate.key # Should succeed
sudo -u nobody cat /path/to/certificate.key # Should fail
Declaring host
The configuration of the host im.example.org will be done in the file « /etc/prosody/conf.avail/im.example.org.cfg.lua », the file example.com.cfg.lua may serve as a model:
cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/.cfg.lua
With your favorite editor change the settings for VirtualHost and enabled so you have:
VirtualHost “im.example.org”
–enabled = false — Remove this line to enable this host
The line “- enabled = […]” can also be removed, instead of of removing the comment like above.
Also represent the key and the SSL certificate:
ssl = {
key = “/etc/prosody/certs/im.example.org.key”;
certificate = “/etc/prosody/certs/im.example.org.cert”;
}
If you already have a key / certificate pair on the same domain name (Common Name), for example for apache, point to it instead of the files listed above.
Now create the symbolic link in« /etc/prosody/conf.d/ » with:
ln -sf /etc/prosody/conf.avail/im.example.org.cfg.lua /etc/prosody/conf.d/im.example.org.cfg.lua
Several host by one configuration
Here is an example to declare a single configuration for multiple hosts (thank you MattJ):
for _, host in ipairs { “example.net”, “example.org” } do
VirtualHost (host)
option1 = “foo”
option2 = “bar”
end
Create users (single)
Creating user accounts is done with the command « prosodyctl »
prosodyctl adduser romeo@im.example.org
open firewall for ports 5222 and 5269 IP and IPv6
create DNS SRV records for optimal federation / domain delegation
use this template:
_xmpp-client._tcp.example.com. 18000 IN SRV 0 5 5222 xmpp.example.com.
_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 xmpp.example.com.
_jabber._tcp.example.com 18000 IN SRV 0 5 5222 xmpp.example.com < -- that still relevant? also.. no dots after TLD? doubt this will work...
in fact: the domain is automatically added so just add this:
_xmpp-client._tcp type SRV with value 0 5 5222 xmpp.domain.com.
and
_xmpp-server._tcp type SRV with value 0 5 5222 xmpp.domain.com.
it must point to an existing A-record - not an IP address (this also helps with IPv6 I guess...)
;; QUESTION SECTION:
;_xmpp-client._tcp.rudel.nl. IN SRV;; ANSWER SECTION:
_xmpp-client._tcp.rudel.nl. 3600 IN SRV 0 5 5222 telecity.rudel.nl.;; ADDITIONAL SECTION:
telecity.rudel.nl. 3600 IN A 80.252.86.117– rkhunter
– sendmail / mail sever?
— dovecot imap and roundcube look neat – with a plugin for owncloud? awesome!
– tarpitting / greylisting / smarthost with ISP relay?
found iredmail!
http://www.iredmail.org/install_iredmail_on_ubuntu.html
install script works nice on a new /fresh ubuntu server – delete defaults later and change passwords
set up domain records (MX and A-records) and set up SPF– two-factor authentication? google authenticator?
sudo apt-get install libpam-google-authenticator
run google-authenticator as the user you will be logging in as
it will create a qr code with the secret key that google authenticator app can scan
it will also update the PAM module and ask you some questions
do this for every usernow edit /etc/pam.d/sshd
add this line(s):
# enable Google authenticator
auth required pam_google_authenticator.sothen edit /etc/ssh/sshd_config
and change or add this line to say yes
ChallengeResponseAuthentication yesrestart ssh to enable
sudo service ssh restartnext login looks like that:
login as: andreas
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Verification code: