Home PageSocialsBlog MetaPoetryTechThoughts/RantsProjectsVPS SetupGit ReposFriends of STUTS

VPS Setup

×

Base VPS Setup

General

  • General packages

      yum install -y git vim epel-release bind-utils
    
  • Custom prompt is set via a profile script /etc/profile.d/prompt.sh

      if [ "$PS1" ]; then
          PS1="[\u@\h\[\e[1;35m\] [STUTS VPS]\[\e[0m\] \W]\\$ "
      fi
    
  • Disable SElinux

SSH Security

Due to hosting in the cloud, it’s quite common to have many login attempts to public SSH ports which can cause performance issues and potentially lead to the server becoming compromised. See the example below:

Last failed login: Tue Oct 13 11:08:44 UTC 2020 from 139.155.35.220 on ssh:notty
There were 26205 failed login attempts since the last successful login.

To combat this, change the SSH port to a non-default one in /etc/ssh/sshd_config and restart the service. May also need to amend firewall rules (firewall-cmd --add-port NEWPORT/tcp --zone public --permanent && firewall-cmd --reload).

Note: Alternatively a VPN connection could be required to connect to the server and SSH can be completely locked off from the outside world, however, I’m currently too lazy for that.

Web Server

Nginx

Nginx is compiled from source to include webdav support (for Joplin file syncing)

yum install -y libxml2-devel libxslt-devel

cd /tmp
wget https://github.com/arut/nginx-dav-ext-module/archive/v3.0.0.zip
unzip v3.0.0.zip

wget https://github.com/nginx/nginx/archive/release-1.17.8.zip
unzip release-1.17.8.zip

cd nginx-release-1.17.8
./auto/configure --user=nginx --group=nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_ssl_module --with-stream --without-http_empty_gif_module --with-http_dav_module --add-module=../nginx-dav-ext-module-3.0.0
make
make install

cat << 'EOF' > /usr/lib/systemd/system/nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOF

Ref - https://deviant.engineer/2016/06/webdav-centos7/

SSL

  • Certbot installation

      yum install -y letsencrypt
    

Global Wildcard Cert (Manual Renewal)

  • Generate certificates with (check with dig -t TXT _acme-challenge.stuts.uk)

      mkdir /tmp/certbot; certbot certonly --manual --work-dir /tmp/certbot --logs-dir /tmp/certbot --config-dir . --preferred-challenges dns
    
  • Put keys in place with

     mkdir -p /etc/ssl/nginx
     cp /root/live/domain.name/{fullchain.pem,privkey.pem} /etc/ssl/nginx/
    
  • Note: If generating SSL keys for a specific domain then be sure to add SSL directives in the server definition itself to override the Nginx global SSL config.

Auto-Renewal (All Sites)

It seems to be possible to setup letsencrypt to generate the certificates for the sites in NGINX. This would allow headless renewal of SSL certs.

yum install python2-certbot-nginx

# Capture all site names in nginx
SITES="$(nginx -T | grep "server_name " |sed 's/.*server_name //g;s/\;//g;s/ /\n/g')"

# Generate certificates, specify name to prevent the first domain name being used as the cert common name
certbot --cert-name all-sites --nginx -d stuts.uk -d $(echo $SITES |sed 's/ / -d /g')

# Setup auto-renew
crontab -e
    0 */12 * * * root certbot -q renew --nginx

Ref:

Ruby