Cheat Sheet: Automating the set up of a Linux-based VPS
Date published: 2018-03-21
Last updated: 2018-03-21
Here is a collection of ideas when scripting the set up of a Debian-based Linux VPS:
- Check your script/suite into a VCS
- Only one input required: the new root pw after the VPS was rebuilt
- Set non-interactive front end
- Set local lang
- Apt upgrade, dist upgrade, clean, autoremove
- Disable and remove all unused packages and services that may come by default (i.e. Apache)
- Remove any orphaned packages
- Install fail2ban
- Create a user for general admin work, SSH, etc.
- Create a non-privileged user for running web server(s)
- Switch to SSH key auth method and disable PAM, password auth, root logins
- Move SSH port
- Implement port knock scheme for SSH
- Set hostname
- Set up /etc/hosts
- Configure outgoing root email for notifications (i.e. crontab, SSH logins, daily encrypted logs, etc.)
- Set up iptables, making persistent, and only allowing the minimum needed for incoming and outgoing
- Consider using deny hosts
- Generate new DH prime and check for uniqueness (if using a DHE suite)
- Put web site DNS on a different server/provider
- Immutable attribute for /etc/passwd
- Implement remote syslogs so they cannot be overwritten when system gets compromised
- Mount /tmp with noexec
- Implement daily emailed encrypted logs (unique AES key encrypted by public RSA)
- Do not keep private RSA key on server used for encrypting emails
- Route all outgoing admin emails through encryption script
- Consider automating package updates
Bonus points for:
- Installing TripWire or similar for auto-adding to deny hosts
- Scheduling daily external scans with a testing framework such as OpenVAS or at least a script running NMAP
- Scheduling daily system integrity scans and storing the checksums externally
- Automating daily log checking for unknown patterns
- Automating daily run of chkrootkit, rkunter, etc.
- Implementing external monitoring and notifications of server/network status (i.e. Nagios)
Other articles on this web site:
- Certbot Automation for Java-based Servers (Cheat Sheet) | 2018-04-11
Ideas on how to automate Letsencrypt's certbot when you are running a Java-based server such as TomCat.
- Secure Server Implementation (Cheat Sheet) | 2018-09-05
Creating a secure Java server without using a framework.
- Designing a Server Monitoring and Alerting Service (Cheat Sheet) | 2018-09-05
A checklist of items when rolling your own server monitoring service.
- Automate everything you possibly can. | 2018-09-05
Automate everything you possibly can from the very beginning before writing the first line of project code.