initial commit

1 files changed, 228 insertions, 0 deletions

diff --git a/set up debian droplet basics + nginx.txt b/set up debian droplet basics + nginx.txt
new file mode 100755
index 0000000..00b7dbc
--- /dev/null
+++ b/set up debian droplet basics + nginx.txt
@@ -0,0 +1,228 @@
+Set Up Debian Droplet - Basics + Nginx
+
+[refernces:
+<http://www.howtoforge.com/building-nginx-from-source-on-debian-squeeze>
+<http://www.rosehosting.com/blog/how-to-compile-and-install-nginx-from-source-in-debian-7-wheezy/>
+<https://www.digitalocean.com/community/articles/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server>
+<https://www.digitalocean.com/community/articles/initial-server-setup-with-debian-7>
+<https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-debian-7>]
+
+First login as root and set new root password:
+
+    passwd
+
+Then create new user:
+
+    adduser whatever
+
+Then add user to suders list:
+
+    visudo
+    whatever    ALL=(ALL:ALL) ALL
+    
+test by sshing as new user.
+
+vultr specific:
+
+sudo vi /etc/hosts
+sudo vi /etc/hostname
+
+##Secure the server
+
+    vi /etc/ssh/sshd_config
+     
+Add these lines:
+
+Port 25009
+Protocol 2
+PermitRootLogin no
+UseDNS no
+
+Add this line to the bottom of the document, replacing demo with your username:
+    
+    AllowUsers whatever
+    
+reload ssh:
+
+    sudo service sshd restart
+    
+test before you log out:
+
+    ssh -p 25009 whatever@123.45.67.890
+   
+Add ssh keys
+
+    cat ~/.ssh/id_rsa.pub | ssh -p 25032 lxf@108.61.215.5 "mkdir -p ~/.ssh && cat >>  ~/.ssh/authorized_keys"
+
+---
+
+###Install Zsh/Tmux
+
+(because doing only one thing at a time sucks)
+
+    sudo apt-get update
+    sudo apt-get install tmux zsh
+    curl -L https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh | sh
+    chsh -s /bin/zsh whatever
+    
+###Set up fail2ban and UFW 
+
+    sudo apt-get install fail2ban
+    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
+    sudo vi /etc/fail2ban/jail.local #(add IP to exclusions, up ban time)
+    sudo service fail2ban restart
+
+    apt-get install ufw
+    sudo ufw default deny incoming
+    sudo ufw default deny outgoing
+    sudo ufw allow 25009/tcp
+    sudo ufw allow 80/tcp
+    sudo ufw allow 443/tcp
+    sudo ufw allow out http
+    sudo ufw allow out https
+    sudo ufw allow out 53 
+    sudo ufw enable
+    sudo ufw status verbose
+    
+---
+
+###Vim
+    
+    apt-get install vim
+    #I point to these in my vimrc, skip if you don't need them
+    mkdir -p ~/.vim/bundle/
+    git clone https://github.com/VundleVim/Vundle.vim.git ~/.vim/bundle/Vundle.vim
+
+##Setup Nginx
+
+    # check http://nginx.org/en/download.html for the latest version of nginx
+    # check https://developers.google.com/speed/pagespeed/module/build_ngx_pagespeed_from_source for latest version of ngx_pagespeed and psol
+    # latest headers more https://github.com/openresty/headers-more-nginx-module/tags
+    # naxsi: https://github.com/nbs-system/naxsi/releases
+
+prereqs for building stuff:
+
+    apt-get -y install build-essential zlib1g-dev libpcre3 libpcre3-dev libbz2-dev libssl-dev tar unzip
+
+prereqs for geo and ssl: 
+
+    apt-get install libgeoip1 libgeoip-dev  openssl libssl-dev
+    # then grab the libraries:
+    sudo mkdir -p /etc/nginx/geoip
+    cd /etc/nginx/geoip
+    sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
+    sudo gunzip GeoIP.dat.gz
+    sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
+    sudo gunzip GeoLiteCity.dat.gz
+
+    #install the GeoIP C library. 
+    cd /tmp
+    wget geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz
+    tar -zxvf GeoIP.tar.gz
+    cd GeoIP-*
+    ./configure
+    make
+    sudo make install
+
+    # That's all the pre-reqs, now cd in to nginx and compile:
+    cd nginx-*
+    
+    
+config script for nginx source (debian paths):
+
+    ./configure \
+        --add-module=$HOME/src/naxsi-0.54/naxsi_src \
+        --prefix=/usr/share/nginx \
+        --sbin-path=/usr/sbin/nginx \
+        --conf-path=/etc/nginx/nginx.conf \
+        --pid-path=/var/run/nginx.pid \
+        --lock-path=/var/lock/nginx.lock \
+        --error-log-path=/var/log/nginx/error.log \
+        --http-log-path=/var/log/access.log \
+        --user=www-data \
+        --group=www-data \
+        --without-mail_pop3_module \
+        --without-mail_imap_module \
+        --without-mail_smtp_module \
+        --with-http_stub_status_module \
+        --with-http_ssl_module \
+        --with-http_v2_module \
+        --with-http_gzip_static_module \
+        --with-pcre \
+        --with-file-aio \
+        --with-http_geoip_module \
+        --add-module=$HOME/src/ngx_pagespeed-release-1.11.33.2-beta \
+        --add-module=$HOME/src/headers-more-nginx-module-0.30 \
+
+    make
+    sudo make install
+    
+The next thing is to enable autostart:
+
+    sudo vim /lib/systemd/system/nginx.service
+
+# Stop dance for nginx
+# =======================
+#
+# ExecStop sends SIGSTOP (graceful stop) to the nginx process.
+# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
+# and sends SIGTERM (fast shutdown) to the main process.
+# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
+# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
+#
+# nginx signals reference doc:
+# http://nginx.org/en/docs/control.html
+#
+[Unit]
+Description=A high performance web server and a reverse proxy server
+After=network.target
+
+[Service]
+Type=forking
+PIDFile=/run/nginx.pid
+ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
+ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
+ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
+ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
+TimeoutStopSec=5
+KillMode=mixed
+
+[Install]
+WantedBy=multi-user.target
+
+
+sudo systemctl enable nginx.service
+sudo systemctl start nginx.service
+sudo systemctl status nginx.service
+
+sudo vim /etc/nginx/nginx.conf
+
+
+user  www-data;
+events {
+    worker_connections  1024;
+}
+http {
+    include mime.types;
+    include /etc/nginx/naxsi_core.rules;
+    default_type  application/octet-stream;
+    types_hash_bucket_size 64;
+    server_names_hash_bucket_size 128;
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  logs/access.log  main;
+    more_set_headers    "Server: Graf Industries Custom Server";
+    sendfile        on;
+    keepalive_timeout  65;
+    gzip  on;
+    pagespeed on;
+    pagespeed FileCachePath /var/ngx_pagespeed_cache;
+    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
+    include /etc/nginx/sites-enabled/*.conf;
+}
+
+
+    sudo cp naxsi-0.53-2/naxci_config/naxsi_core.rule /etc/nginx
+