Video on configuring VPS on Linode
Habré is full of different instructions on how to associate Nginx with php5-fpm, even I already wrote this . But today I offer something new, namely the video- instructions for buying and setting up your own VPS on Linode .
The post is located in the MODX hub is not accidental, the lesson uses special scripts for convenient work with MODX Revolution sites.
Watch the video is absolutely not recommended super cool admins and pregnant women!
')
Under the cut the details of the organization + work plan with pieces of code for easy copying and pasting.
The server is based on Ubuntu + Nginx + Php5-fpm + mySql + Sendmail .
Each site has
- 1 selected user
- 1 database
- 1 SFTP access
All site files belong to this user, he can go remotely and change them. Php for the site runs on behalf of this user and has his rights.
In addition to restricting php rights to user rights, it also starts with disabling dangerous functions and including open_basedir in the user directory.
This configuration, in my opinion, is as safe as possible. If one site is broken, everyone else cannot even touch it.
It’s just physically impossible to rise above your directory without breaking into the kernel of the operating system — and this is a completely different level of attack.
For access to the server console user user is used . I advise you to create this user under a different name. The root user is not allowed to log in at all, so that an attacker, in addition to a password, also had to pick up a name.
After logging into the server, user can do sudo and get root privileges.
This user should only be used to manage the server. He has no sites, he does not own files sites. Of course, he can also use SFTP for his needs.
The ssh port itself is protected from busting iptables by blocking failed login attempts for 30 seconds.
The mail server is configured only to send emails. Receiving mail, I recommend giving Yandex or Google .
All the work with the sites is provided by my console scripts, which remove the whole buzzhead on the creation of sites, databases and other routines.
I advise you to set up backup and upload to Dropbox yourself, this is not on the video.
1. Registration at Linode
I propose to register two links: referral (click Sign up at the top right), and the usual one . Click depending on your mood.
For payment, I used Qiwi Visa Virtual , on which I put $ 20 .
If you pay in the second half of the month - then they will withdraw money for a month and a half. If in the first - then only for the rest of the current, so there was only about $ 16.
2. Configure ssh
You need to disable root login, create a user for sudo, and protect port 22.
Protection script
In / etc / ssh / sshd_config
- Change PermitRootLogin no
- Commenting on
- Add to the end
3. Installing the right packages
During installation, you need to specify a password for root mySql.
4. Mail Setup
In / etc / hosts, you need to specify an external server ip for your domain (or localhost) so that sendmail can determine its ip.
The domain name must be specified in / etc / hostname .
Then you need to specify not to accept your own letters when sending to your domain in /etc/mail/sendmail.mc
Then in console
And check
5. Installing and checking MODX scripts
Addplace - gist.github.com/bezumkin/3833852 - Creates site space
Install - gist.github.com/bezumkin/2179479 - Creates a place and puts MODX
Update - gist.github.com/bezumkin/2179440 - MODX Update
Remove - gist.github.com/bezumkin/2179492 - Deleting a site with a site and database
6. Install PhpMyAdmin
Downloading the distribution from here .
Create a writeable config directory, set up a login \ password for the database and save the config.
Then we transfer it to the root of the site, slightly change the dump of the pma tables and import them into the database.
Do not forget to delete the config and setup directories after successful configuration.
Now everything should work.
Now at post -2 . 12 pros and 14 cons.
Indeed, this is such a bad and unnecessary post for anyone, that it should be flooded, so that no one saw it?
And who are the 34 people who bookmarked it?
Suppose I’m going to get upset and remove the unnecessary post in drafts - to whom will this be better? There is an opinion that 34 people will not be happy when they are going to re-read it. And 14 people will never know about it. Minusanul silently and went on.
Where is the criticism of the video, where is an indication of the shortcomings, or maybe links to these videos? Am I running Apache2 from under the root, or what?
It looks like this is the last time I publish something on Habré. Probably, I just don’t understand what the local audience needs.
The post is located in the MODX hub is not accidental, the lesson uses special scripts for convenient work with MODX Revolution sites.
Watch the video is absolutely not recommended super cool admins and pregnant women!
')
Under the cut the details of the organization + work plan with pieces of code for easy copying and pasting.
How does it work
The server is based on Ubuntu + Nginx + Php5-fpm + mySql + Sendmail .
Each site has
- 1 selected user
- 1 database
- 1 SFTP access
All site files belong to this user, he can go remotely and change them. Php for the site runs on behalf of this user and has his rights.
In addition to restricting php rights to user rights, it also starts with disabling dangerous functions and including open_basedir in the user directory.
This configuration, in my opinion, is as safe as possible. If one site is broken, everyone else cannot even touch it.
It’s just physically impossible to rise above your directory without breaking into the kernel of the operating system — and this is a completely different level of attack.
For access to the server console user user is used . I advise you to create this user under a different name. The root user is not allowed to log in at all, so that an attacker, in addition to a password, also had to pick up a name.
After logging into the server, user can do sudo and get root privileges.
This user should only be used to manage the server. He has no sites, he does not own files sites. Of course, he can also use SFTP for his needs.
The ssh port itself is protected from busting iptables by blocking failed login attempts for 30 seconds.
The mail server is configured only to send emails. Receiving mail, I recommend giving Yandex or Google .
All the work with the sites is provided by my console scripts, which remove the whole buzzhead on the creation of sites, databases and other routines.
I advise you to set up backup and upload to Dropbox yourself, this is not on the video.
Installation steps
1. Registration at Linode
I propose to register two links: referral (click Sign up at the top right), and the usual one . Click depending on your mood.
For payment, I used Qiwi Visa Virtual , on which I put $ 20 .
If you pay in the second half of the month - then they will withdraw money for a month and a half. If in the first - then only for the rest of the current, so there was only about $ 16.
2. Configure ssh
You need to disable root login, create a user for sudo, and protect port 22.
Protection script
#!/bin/bash # iptables -F INPUT iptables -Z INPUT iptables -P INPUT ACCEPT iptables -F OUTPUT iptables -Z OUTPUT iptables -P OUTPUT ACCEPT iptables -F FORWARD iptables -Z FORWARD iptables -P FORWARD ACCEPT # ssh, - 30 iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 30 -j DROP iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set -j ACCEPT In / etc / ssh / sshd_config
- Change PermitRootLogin no
- Commenting on
#Subsystem sftp /usr/lib/openssh/sftp-server- Add to the end
Subsystem sftp internal-sftp Match Group sftp ChrootDirectory %h AllowTCPForwarding no ForceCommand internal-sftp 3. Installing the right packages
apt-get install python-software-properties add-apt-repository ppa:nginx/stable apt-get update apt-get dist-upgrade -y apt-get install nginx php5-fpm mysql-server php5-mcrypt php5-mysql php5-curl php-db php5-gd unzip zip sendmail htop During installation, you need to specify a password for root mySql.
4. Mail Setup
In / etc / hosts, you need to specify an external server ip for your domain (or localhost) so that sendmail can determine its ip.
The domain name must be specified in / etc / hostname .
127.0.0.1 localhost 195.167.123.115 mydomain.com mydomain Then you need to specify not to accept your own letters when sending to your domain in /etc/mail/sendmail.mc
define(`MAIL_HUB', `mydomain.com.')dnl define(`LOCAL_RELAY', `mydomain.com.')dnl Then in console
sendmailconfig service sendmail restart And check
echo -e "To: user@mydomain.com\nSubject: Test\nTest\n" | sendmail -bm -t -v 5. Installing and checking MODX scripts
Addplace - gist.github.com/bezumkin/3833852 - Creates site space
Install - gist.github.com/bezumkin/2179479 - Creates a place and puts MODX
Update - gist.github.com/bezumkin/2179440 - MODX Update
Remove - gist.github.com/bezumkin/2179492 - Deleting a site with a site and database
6. Install PhpMyAdmin
Downloading the distribution from here .
Create a writeable config directory, set up a login \ password for the database and save the config.
Then we transfer it to the root of the site, slightly change the dump of the pma tables and import them into the database.
Do not forget to delete the config and setup directories after successful configuration.
Now everything should work.
Updated.
Now at post -2 . 12 pros and 14 cons.
Indeed, this is such a bad and unnecessary post for anyone, that it should be flooded, so that no one saw it?
And who are the 34 people who bookmarked it?
Suppose I’m going to get upset and remove the unnecessary post in drafts - to whom will this be better? There is an opinion that 34 people will not be happy when they are going to re-read it. And 14 people will never know about it. Minusanul silently and went on.
Where is the criticism of the video, where is an indication of the shortcomings, or maybe links to these videos? Am I running Apache2 from under the root, or what?
It looks like this is the last time I publish something on Habré. Probably, I just don’t understand what the local audience needs.
Source: https://habr.com/ru/post/168933/
All Articles