Skip to content

Home

Jump to bottom
Nico Felbinger edited this page Jul 31, 2020 · 12 revisions

Admin Guide

Install Basic Software

$ apt-get update
$ apt-get -y dist-upgrade
$ apt-get -y install apt sudo curl nano

Create admin group

$ groupadd -g 997 admin
$ mkdir /home/admin
$ chown -R root:admin /home/admin
$ chmod -R 775 /home/admin

Create Users

You should create at least one user account, and use it instead of the root user. Let's create a new user called user add add him to the groups sudo and admin.

$ adduser user
$ usermod -aG sudo,admin user

Add SSH Public Key's of the users to there home directories

There are multiple options to add public keys to the file ~/.ssh/authorized_keys. One option is to run ssh-copy-id user@ip on the client machine (and authenticate yourself with for example a password) and the ssh client automatically copy the keys there.
Another options is to append your public key manually to the ~/.ssh/authorized_keys file in the following format ssh-type public_key [description]:

# example for an rsa key:
echo "ssh-rsa AAAAB... my_computer" >> ~/.ssh/authorized_keys

The description of your public key is stored after the key in the file of that public key on your machine. ssh-copy-id uses the description of your public key, but you can ignore it, if you add your public key manually.

Configure DNS

@ A 123.123.123.123                             # redirect domain.tld to ip
* A 123.123.123.123                             # redirect all subdomain to ip
@ CAA 0 issue "letsencrypt.org"                 # allow letsencrypt.org to create certificates for your domain  
@ CAA 0 iodef "mailto:monitoring@domain.tld"    # set email address for certificate status information

Configure reverse DNS

The reverse DNS is used to get the domain which is attached to an ip address. You can do this in the server control panel.

Validate DNS updates

DNS Updates can take quiet some time!

$ dig A domain.tld @1.1.1.1
...
;; ANSWER SECTION:
domain.tld.	86400	IN	A	123.123.123.123
...

$ dig A nonexisting.domain.tld @1.1.1.1
...
;; ANSWER SECTION:
nonexisting.domain.tld.	86400	IN	A	123.123.123.123
...


$ dig CAA domain.tld @1.1.1.1
...
;; ANSWER SECTION:
domain.tld.	86400	IN	CAA	0 iodef "mailto:monitoring@domain.tld"
domain.tld.	86400	IN	CAA	0 issue "letsencrypt.org"
...

$ nslookup 123.123.123.123
123.123.123.123.in-addr.arpa	name = domain.tld.

Change Hostname

In most cases, your hosting provider gave your machine an ugly hostname, so let's change that. Just write your new hostname to the file /etc/hostname. Then change /etc/hosts according to the following example:

127.0.0.1	      localhost
127.0.1.1	      fqdn.domain.tld server        # <--
123.123.123.123	      fqdn.domain.tld server        # <--

# The following lines are desirable for IPv6 capable hosts
::1                localhost ip6-localhost ip6-loopback
ff02::1            ip6-allnodes
ff02::2            ip6-allrouters

In this case I decided to use the hostname server and assign the fully qualified domain name fqdn.domain.tld to it. To apply the changes, you need to restart the server.

Configure SSH

After we successfully logged in using one of our user accounts, we can reconfigure ssh. We set PasswordAuthentication and PermitRootLogin to no.

Warning: Make sure you can login using your SSH private key, otherwise you are not able to login again after the next step!

Deploy your services

Now your server has the basic configuration, and you can start deploy your services via Docker Container or Virtual Machines (qemu-kvm)

Backup

I wrote my own backup script in python.

Security Reminder: Due to the fact that the backup.py will be executed by root cronjob, the file should be only editable by root. Otherwise a lower privileged user, might add /etc/shadow or something else to gain higher privileges (Privilege Escalation).

# install requirements and clone repository
$ sudo apt -y install python3 python3-pip git
$ sudo git clone https://github.com/felbinger/pybackup /root/pybackup/
$ sudo pip3 install -r /root/pybackup/requirements.txt

# delete offside backup cause we don't need it on the server
$ rm -r /root/pybackup/OffsideBackup

# configure pybackup
$ nano /root/pybackup/.config.json

# run backup
$ python3.8 backup.py -df

I really suggest creating a separate database user which can only create backups. MySQL Example:

$ sudo docker-compose exec mariadb mysql -u root -pSECRET_PASSWORD
mariadb> CREATE USER 'backup'@'localhost' IDENTIFIED BY 'SECRET_PASSWORD';
mariadb> GRANT SELECT, LOCK TABLES ON mysql.* TO 'backup'@'localhost';
# add privileges to all databases that you want to backup!
mariadb> FLUSH PRIVILEGES;
mariadb> EXIT;

Scheduled Backups

Backups should also be scheduled using cronjob:

# file backups at 3 am every fifth day
00 03 */5 * * /usr/bin/python3.8 /root/pybackup/backup.py -c /root/pybackup/.config.json -f
# database backups at 2:50 am every day
50 02 * * * /usr/bin/python3.8 /root/pybackup/backup.py -c /root/pybackup/.config.json -d
Clone this wiki locally