Linode/Setup: Difference between revisions
No edit summary |
m (setup admin account from CLI) |
||
| Line 165: | Line 165: | ||
== Setting up an SMTP server == | == Setting up an SMTP server == | ||
By default, Linode disables SMTP ports 587 etc. This requires a manual human-facing support ticket to remove. (Done by @Jonny on Nov 25 2022) | By default, Linode disables SMTP ports 587 etc. This requires a manual human-facing support ticket to remove. (Done by @Jonny on Nov 25 2022) | ||
== Setting up an admin account from CLI w/ email confirmation == | |||
This command will work if the username and email have been registered from the UI. Very useful if SMTP server hasn't been setup yet. Note that you need to be logged in as the mastodon user for this to work. | |||
Revision as of 10:46, 29 November 2022
Assuming you have made a Linode with Debian 11.
User accounts
- Make user accounts. (You can do this as many times as you want to add more users.)
adduser \
--system \
--shell /bin/bash \
--gecos 'User Description If u want' \
--group \
--home /home/USERNAME \
USERNAME
- Add user to
sudogroup (if needed)
usermod -aG sudo USERNAME
Security (only need to do this at setup)
Add cryptographic public keys for user authentication
- RSA keys (has known vulnerabilities)
- ed25519 keys (better alternative: faster, more secure, resilient against hash-function collision attacks, shorter)
Configure sshd
- Disable password login
- Disable root login
- Restart ssh otherwise the changes to sshd don't take effect!
service ssh restart
Fail2Ban
Install
apt install fail2ban
Configuration
Editing /etc/fail2ban/jail.local, using the defaults from Mastodon/Setup
[DEFAULT]
destemail = your@email.here
sendername = Fail2Ban
[sshd]
enabled = true
port = 22
[sshd-ddos]
enabled = true
port = 22
Then restart the service
systemctl restart fail2ban
IPTables
Again following Mastodon/Setup
Install
apt install -y iptables-persistent
Decline the dialog asking if you want to preserve existing iptables configs (if you say yes then the commands below will fail for some reason)
Configuration
- IPv4: Edit
/etc/iptables/rules.v4
*filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections # The -dport number should be the same port number you set in sshd_config -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Allow destination unreachable messages, espacally code 4 (fragmentation required) is required or PMTUD breaks -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
- IPv6: Edit
/etc/iptables/rules.v6
*filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d ::1/128 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections # The -dport number should be the same port number you set in sshd_config -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmpv6 -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
Then reload the rules:
iptables-restore < /etc/iptables/rules.v4
ip6tables-restore < /etc/iptables/rules.v6
Setting up an SMTP server
By default, Linode disables SMTP ports 587 etc. This requires a manual human-facing support ticket to remove. (Done by @Jonny on Nov 25 2022)
Setting up an admin account from CLI w/ email confirmation
This command will work if the username and email have been registered from the UI. Very useful if SMTP server hasn't been setup yet. Note that you need to be logged in as the mastodon user for this to work.