Set Up Debian Droplet - Basics + Nginx [refernces: ] First login as root and set new root password: passwd Then create new user: adduser whatever Then add user to suders list: visudo whatever ALL=(ALL:ALL) ALL test by sshing as new user. vultr specific: sudo vi /etc/hosts sudo vi /etc/hostname ##Secure the server vi /etc/ssh/sshd_config Add these lines: Port 25009 Protocol 2 PermitRootLogin no UseDNS no Add this line to the bottom of the document, replacing demo with your username: AllowUsers whatever reload ssh: sudo service sshd restart test before you log out: ssh -p 25009 whatever@123.45.67.890 Add ssh keys cat ~/.ssh/id_rsa4096.pub | ssh -p 25034 lxf@63.135.175.3 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" --- ###Install Zsh/Tmux (because doing only one thing at a time sucks) sudo apt-get update sudo apt-get install tmux zsh curl -L https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh | sh chsh -s /bin/zsh whatever ###Set up fail2ban and UFW sudo apt-get install fail2ban sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo vi /etc/fail2ban/jail.local #(add IP to exclusions, up ban time) sudo service fail2ban restart apt-get install ufw sudo ufw default deny incoming sudo ufw default deny outgoing sudo ufw allow 25009/tcp sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw allow out http sudo ufw allow out https sudo ufw allow out 53 sudo ufw enable sudo ufw status verbose --- ###Vim apt-get install vim #I point to these in my vimrc, skip if you don't need them mkdir -p ~/.vim/bundle/ git clone https://github.com/VundleVim/Vundle.vim.git ~/.vim/bundle/Vundle.vim ##Setup Nginx # check http://nginx.org/en/download.html for the latest version of nginx # check https://developers.google.com/speed/pagespeed/module/build_ngx_pagespeed_from_source for latest version of ngx_pagespeed and psol # latest headers more https://github.com/openresty/headers-more-nginx-module/tags # naxsi: https://github.com/nbs-system/naxsi/releases prereqs for building stuff: apt-get -y install build-essential zlib1g-dev libpcre3 libpcre3-dev libbz2-dev libssl-dev tar unzip prereqs for geo and ssl: apt-get install libgeoip1 libgeoip-dev openssl libssl-dev # then grab the libraries: sudo mkdir -p /etc/nginx/geoip cd /etc/nginx/geoip sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz sudo gunzip GeoIP.dat.gz sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz sudo gunzip GeoLiteCity.dat.gz #install the GeoIP C library. cd /tmp wget geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz tar -zxvf GeoIP.tar.gz cd GeoIP-* ./configure make sudo make install # That's all the pre-reqs, now cd in to nginx and compile: cd nginx-* config script for nginx source (debian paths): ./configure \ --prefix=/usr/share/nginx \ --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/lock/nginx.lock \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/access.log \ --user=www-data \ --group=www-data \ --without-mail_pop3_module \ --without-mail_imap_module \ --without-mail_smtp_module \ --with-http_stub_status_module \ --with-http_ssl_module \ --with-http_v2_module \ --with-http_gzip_static_module \ --with-pcre \ --with-file-aio \ ./configure \ --user=http \ --group=http \ --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --with-http_gzip_static_module \ --with-http_stub_status_module \ --with-http_ssl_module \ --with-pcre \ --with-file-aio \ --with-http_v2_module \ --with-http_realip_module \ --without-http_scgi_module \ --without-mail_pop3_module \ --without-mail_imap_module \ --without-mail_smtp_module \ --add-module=$HOME/ngx_pagespeed-${NPS_VERSION} ${PS_NGX_EXTRA_FLAGS} make sudo make install The next thing is to enable autostart: sudo vim /lib/systemd/system/nginx.service # Stop dance for nginx # ======================= # # ExecStop sends SIGSTOP (graceful stop) to the nginx process. # If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control # and sends SIGTERM (fast shutdown) to the main process. # After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends # SIGKILL to all the remaining processes in the process group (KillMode=mixed). # # nginx signals reference doc: # http://nginx.org/en/docs/control.html # [Unit] Description=A high performance web server and a reverse proxy server After=network.target [Service] Type=forking PIDFile=/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;' ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid TimeoutStopSec=5 KillMode=mixed [Install] WantedBy=multi-user.target sudo systemctl enable nginx.service sudo systemctl start nginx.service sudo systemctl status nginx.service sudo vim /etc/nginx/nginx.conf user www-data; events { worker_connections 1024; } http { include mime.types; include /etc/nginx/naxsi_core.rules; default_type application/octet-stream; types_hash_bucket_size 64; server_names_hash_bucket_size 128; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; more_set_headers "Server: Graf Industries Custom Server"; sendfile on; keepalive_timeout 65; gzip on; pagespeed on; pagespeed FileCachePath /var/ngx_pagespeed_cache; limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; include /etc/nginx/sites-enabled/*.conf; } sudo cp naxsi-0.53-2/naxci_config/naxsi_core.rule /etc/nginx