1st Action Script for new VPS

webeindustry

I'm considering pushing a script for people branching out of shared-hosting that don't want to put the efforts into learning the ropes of how to go about configuring their VPS to be properly secured and ready for a production getup.

If there's any interest I'll make a new repo and cook something up. Feel free to add to this list in a post, I'll edit this OP.

Off the bat, what I'd like to create is a script for ubuntu/debian distributions that offers:

Fail2ban
Automatic security updates
Weekly update/upgrade (no dist-upgrade)
Monthly reboot for all updates to take effect
Enable UFW with general sane policy (ports 22, 80, 443 open, all else closed by default)

Suggestions are welcome.

It would be nice to add an SSH key, new user acct, disable password login, disable root login. Problem with this is user must be aware of how to store their key, and utilize it properly.

I made the script:

https://github.com/webeindustry/1stAction

You can run it with this 1liner:

wget -qO- https://raw.githubusercontent.com/webeindustry/1stAction/master/runme.sh | sh

Kulga

Looks interesting! Might be interested in helping with that.

webeindustry Monthly reboot for all updates to take effect

Why this though? Unless you're updating the kernel, you don't really ever need to reboot. Just restart each process as it updates - which is often done automatically with apt-get upgrade.

webeindustry

Kulga

Yea linux is awesome like that. You can definitely restart each service that has been updated, and this does almost always seem to happen automatically.

I have found, though, that a "system restart is necessary for updates to take effect" pops up once every 2-3 weeks when logging in via ssh.

Kulga

webeindustry I have found, though, that a "system restart is necessary for updates to take effect" pops up once every 2-3 weeks when logging in via ssh.

Does your hoster trigger this message? Unless you're using a hoster that upgrades to new kernels extremely often, you should not need to do this. Odd! (and concerning)

Anyways, will this script be expecting a gui? Pretty sure UFW is gui. If it's going to be automatic, a iptables script might work. But either is tricky since a accidental mis-configure could lock users out so it'd have to be rock solid.

webeindustry

Kulga

UFW is uncomplicated firewall, it's a standard package on some debian/ubuntu server distributions. It doesn't require GUI.

I have dedi's, and VPS's. None of them are para-virtualization like OpenVZ where you're limited to the kernel of the hypervisor/host-os. Do you use debian/ubuntu? That's a message which happens on my machines regardless of where it's hosted.

Iptables is good if you know exactly what you're doing. That's why I suggest UFW. The commands are very straight forward and simple to understand.

Kulga

This explained some stuff
https://serverfault.com/questions/92932/how-does-ubuntu-keep-track-of-the-system-restart-required-flag-in-motd

I suppose check for this file and if it exists, reboot at a appropriate time?
I've never had this occur (thinking maybe systemd thing) but if it's needed, it's needed.

webeindustry

Kulga

Yea, I think it's mostly or wholly related to automatic security updates which require rebooting. This happens fairly frequently. On test systems I'm constantly jacking around, updating, and rebooting for good measure after reworking a lot of things. On production rigs, it's usually a period of time of change and then settling in where one of the last things tends to be scripting to keep everything rocking with very limited hands on necessary afterwards. Perhaps a dist-upgrade assessment seasonally or biyearly.

Oh, yea that would be rather easy to do. If exists in bash tiny script. I would like to make sure it happens during off-peak hours. My reboots are in cron for 3 or 4 am kinda deal. It could be a daily task triggered early AM. That would be a better routine.

Kakifrucht

I can only recommend following this guide: http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers

SSHGuard is generally working better than Fail2Ban imo.

webeindustry

It's a good first 5 mins, and I covered the others which would be great, but perhaps a bit beyond most noobs who would like to run this script in the first place. The logwatch is a very good call, but most mail not properly configured would either be denied, else thrown in a spam box.

webeindustry

I made the script:

https://github.com/webeindustry/1stAction

You can run it with this 1liner:

wget -qO- https://raw.githubusercontent.com/webeindustry/1stAction/master/runme.sh | sh

This will run nightly at 3:03 server time, update the system, and reboot if necessary.

Kulga

webeindustry Nice!

I've been working on a initial get-flarum-working script.
Might go nicely with this

Ralkage

Thank you my good sir!

I hate bots and every other attempt to disrupt my forum communities and this script is perfect for my OVH VPS.