======Bock 2018====== ===== Base system information ===== * VPS @Omnitec, 2CPU, 2GB, 100GB * Base IP: 206.197.251.210 ===== Operating system installation ===== ==== Source media or media image ==== * Standard Debian 9 ==== Installation method ==== ==== Installation options selected ==== =====Critical Services===== * Telnet client for testing * Web - php, php-mysql, mb, php-imap; split vhost logs * DNS * [[Email]] * [[bock-2018-spamassassin|SpamAssassin]] * [[Fail2Ban]] * Lists ====DNS==== * master DNS zone is on Bock but NOT published as NS. * Public DNS is provided via BuddyNS [.org], for which SLUUG contributes a few bucks a year. ====Lists==== [[Security Notes]] [[bock-2018-mailman|Mailman Migration]] ==== Apache configuration ==== a2enmod ssl.load a2enmod info ==== Let's Encrypt ==== * certbot from github is curreent, required for wildcard certs * Install requires dev libraries for headers: * aptitude install python2.7-dev * aptitude install libffi-dev * aptitude install libssl-dev * Setup: ''python setup.py install'' * Generate: ''certbot certonly --manual -d *.sluug.org --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory '' * Result: (If someone can figure out how to force plain text, please fix!!) ''Please deploy a DNS TXT record under the name _acme-challenge.sluug.org with the following value: EGAoTq2e_Cf8TwYV4EN7zBLNfdgHodgoy9yX_WaLrGY IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sluug.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sluug.org/privkey.pem Your cert will expire on 2018-09-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.sluug.org with the following value: EGAoTq2e_Cf8TwYV4EN7zBLNfdgHodgoy9yX_WaLrGY Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sluug.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sluug.org/privkey.pem Your cert will expire on 2018-09-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le'' ==== Setting up SSL for web sites ==== To force port 80 traffic to port 443, replace the stanza, leaving "ServerName" or "ServerAlias" lines intact.         ServerName a.sluug.org         RewriteEngine on         RewriteCond %{SERVER_NAME} =a.sluug.org         RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] To use certs, edit the stanza that has the desired ServerName or ServerAlias line in it.  At the top of the stanza, add the following:         SSLEngine on         SSLCertificateFile /etc/letsencrypt/live/sluug.org/fullchain.pem         SSLCertificateKeyFile /etc/letsencrypt/live/sluug.org/privkey.pem         Include /etc/letsencrypt/options-ssl-apache.conf The following copy of wiki.sluug.org.conf is the perfect example of the  smallest possible config file that incorporates both of these: VirtualHost *:80>         ServerName wiki.sluug.org         RewriteEngine on         RewriteCond %{SERVER_NAME} =wiki.sluug.org         RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]         SSLEngine on         SSLCertificateFile /etc/letsencrypt/live/sluug.org/fullchain.pem         SSLCertificateKeyFile /etc/letsencrypt/live/sluug.org/privkey.pem         Include /etc/letsencrypt/options-ssl-apache.conf         ServerName wiki.sluug.org         UseCanonicalName On         DocumentRoot /srv/www/wiki.sluug.org/public                         AllowOverride All                 Options FollowSymLinks MultiViews                 Order allow,deny                 Allow from all         ==== Misc packages installed ==== === lynx lynx-cur === This also installed: lynx-common === w3m === === elinks === === mutt === This also installed: libgmime-2.6-0 libgpgme11 libnotmuch4 libtalloc2 libtokyocabinet9 === dnsutils === === at === === mailutils === === Not listed here === For a list of installed packages and when, a good resource is ''/var/log/apt/history.log*'' ==== Misc configuration ==== Documentation /usr/source/Docuwiki Edit ''/etc/ssh/sshd_config'' to change ''PermitRootLogin'' value from ''yes'' to ''forced-commands-only''. Add all users in the ''sudo'' group to the ''adm'' and ''systemd-journal'' groups to allow them to see logs without being root. See [[https://wiki.debian.org/SystemGroups]]