
How To Set Up Your Linode For Maximum Awesomeness - feross
http://feross.org/how-to-setup-your-linode/
======
thaumaturgy
Some random selections from my notes on building Linode web servers:

\- Set up reverse DNS in the Linode manager: select the Linode, click on
"Remote Access", click on "Reverse DNS" (under "Public IPs")

\- Linodes don't offer very much disk space; use localepurge to keep the
filesystem on a diet: # apt-get install localepurge

\- After installing and setting up MySQL, don't forget: #
mysql_secure_installation

\- After installing Apache, change the following in httpd.conf: ServerToken ->
Prod, ServerSignature -> Off, KeepAlive -> Off

\- After installing PHP, edit php.ini to make it shut up: expose_php -> Off

There's a bunch of other fiddly stuff to do, and a seemingly endless
combination of packages and strategies depending on what you're trying to
accomplish. For instance, I currently run a stack with Postfix for MTA,
awstats+jawstats for beautiful server-side site statistics, mod_deflate,
mem_cache, fcgid/suexec to make it harder to break the server if a site is
compromised, PureFTPd for really easy managed-by-MySQL FTP access, and a pile
of other little minor tweaks and knobs turned.

MOST IMPORTANTLY: Backups, backups, backups. If you don't already have your
own in-house backup service for your server (and I bet you don't!), then
please take advantage of Linode's backup services:
<http://www.linode.com/backups/>

~~~
sounds
Two other suggestions would be:

1\. Test how your VPS comes back after a reboot. When you make big changes and
at least every 6 months due to all the upgrading that ubuntu does by default
it can break the bootup process and you won't know until that emergency
unscheduled reboot at 3AM.

2\. As long as you're customizing the firewall you should block pings
entirely.

* Really, since the distributions are very compatible I would urge you to consider a distro that has selinux enabled by default. Fedora Core is a great place to start. It also has better tools to manage security and gives you good resume skills.

~~~
thorduri
>> 2\. As long as you're customizing the firewall you should block pings
entirely.

Why?

I've never seen a threat model where filtering icmp doesn't end up being more
trouble then it's worth. Then there is even the maintenance headache when
basic but powerful tools like ping and traceroute are rendered useless.

It's the same BS as with fail2ban, thankfully the OP wasn't spreading the
gonorrhea of port knocking/single packet auth. Lock down your sshd like
everything else: Disable root, disable tunneled cleartext passwords, enforce
proper key usage, use AllowGroups/AllowUsers.

EDIT: The BS with fail2ban is moving the ssh port around. I understand this
being a problem, but surely iptables has something similar to OpenBSD pf's:

block in quick from <brutes>

pass in log on $if_ext proto tcp from any to ($if_ext:0) port ssh keep state \
(max-src-conn 3, max-src-conn-rate 4/32, overload <brutes> flush global)

~~~
lesaker
Mind explaining your issue with single packet auth? Port knocking by
definition is an extra layer of security through obscurity, in that gaining
access requiring hitting the sequence of ports to "knock". Depending on the
implementation, this either is very vulnerable to MITM/sniffing attacks
(static knock sequence) or quickly gets really complicated (fully dynamic
knock sequence).

SPA, by contrast, uses actual crypto to securely authenticate the user with
the server. I'm a fan of fwknop, which uses GPG to sign a request packet which
is read and understood by the server. It protects against 0 day attacks on
OpenSSH, lets me drop 22 inbound to eliminate all those pesky attackers, and
allows me to securely authenticate with the fwknopd.

~~~
thorduri
Sure.

> "Port knocking by definition is an extra layer of security through
> obscurity"

Security through obscurity is not security, it's at best theater.

> "It protects against 0 day attacks on OpenSSH"

You substitute one problem for another, 0 day attacks on the SPA. Your model
isn't safer, it's just different.

And personally, I trust the OpenSSH guys way more then any SPA vendor simply
because they have a very good track record.

~~~
moe
You're making no sense. Moving the SSH port is a trivial way to reduce your
attack surface (undirected bulk scans go for 22).

~~~
thorduri
If undirected bulk scans are a serious threat to your security, something is
up.

Properly configured (AllowUsers, Disable root, no clear text passwords only
keys etc), I'd say that the undirected bulk scans pose no security risk at
all, they are only a nuisance in terms of spamming your logs, which is easy
enough to deal with.

What I'm really trying to say is that each "trivial way to reduce your attack
surface" has both cost and benefits.

I'm contending that moving the ssh port around gives you the benefit of less
log spam with no security gain, and costs in terms of documentation and
maintenance.

When I do this Cost/Benefit analysis, I conclude that moving the port around
has more costs then it does benefits, so I don't bother.

~~~
moe
_undirected bulk scans pose no security risk at all_

A future bulk-scan may leverage a new SSH-exploit before you know it exists.

To put it explicitly: You should disable passwords and change the SSH-port.
That's the two measures that make sense, to reduce surface and prevent
password brute-force.

The rest of your recommendations is security theatre. An attacker dedicated
enough to find your SSH-port and be set back by !AllowRoot will just brute-
force an allowed username - if that's even a prerequisite for the given ssh-
exploit.

~~~
thorduri
> A future bulk-scan may leverage a new SSH-exploit before you know it exists.

Sure, this is true. I consider this a "minor" issue, truth be told (I didn't
want muddle up the conversation) I don't tend to run sshd faced towards the
'public' internet and in the cases where I do, ssh access is restricted to
certain hosts/networks, and is enforced by a firewall.

> The rest of your recommendations is security theatre

Can you state why? I think they all provide measurable/real benefit, if this
isn't the case I'd welcome some education.

Hm. I will give you that AllowUsers,AllowGroups is not a very good benefit in
this case, I mainly enforce the usage of those directives to protect against
problems such as bogus user account creations (exploit created or something
simple as a admin mistake).

>An attacker dedicated enough to find your SSH-port

And Now for Something Completely Different.

Protecting against a dedicated attacker is a totally different ball game then
protecting against drive-by's.

------
omarchowdhury
This is great SEO.

The author's website ranks first for "Linode Hosting Review".

He'll receive a commission for sales generated through his site, and being
that his strategy is so targeted, it should convert well and deliver value to
both him and Linode.

And he does it without ever having to resort to spam, the very opposite in
fact; he does it through high quality content.

Good work feross!

~~~
ohashi
Good for him for generating the content and getting the rankings. I don't
think it's that competitive though. I launched my site last week and I am on
page 2 for the same term.

------
shawnee_
The bulk of this article has been copied directly from:

<http://library.linode.com/getting-started>
<http://library.linode.com/securing-your-server>

~~~
feross
"I originally compiled this guide as a .txt file of notes for myself, but
decided to share it in case anyone finds it useful. If you're looking for
something straight from the horse's mouth, Linode [offers
guides](<http://library.linode.com/>) that cover how to set up a new server,
but some of the info is out of date."

------
juan_juarez
Huh, I never realized that "maximum awesomness" was synonymous with "basic
functionality".

~~~
Jgrubb
Veterans of Hacker News - why am I not allowed to down vote?

~~~
spacemanaki
There's a karma threshold before you're allowed to downvote.

~~~
Jgrubb
Could you tell me what that number is?

~~~
saraid216
It goes up over time. Right now it's around 500.

~~~
jacques_chester
For comments or posts?

~~~
saraid216
Comments. I believe the threshold for flagging submissions is 1000, but I'm
not sure; I didn't notice when I hit it. You cannot downvote submissions.

~~~
cowsaysoink
Flagging is considerably lower, this account can flag comments and submissions
so I think ~20 karma is required to flag.

------
nigma
Or even easier use one of many StackScripts[1].

But what I would really like to see is a decent introduction to Salt, Puppet
or Chef. This way people that are going to deploy their first server could
easily build and rebuild the instance and don't end up retyping shell commands
from a blog article.

Also a note on the default Apache setup. There are several "flavors" of the
server. If you are going to host Python sites with mod_wsgi then the
apache2-mpm-worker package is a lot beter choice than the traditional prefork
model.

[1] <http://www.linode.com/stackscripts/>

------
adient
Pro tip: instead of changing ssh default port, setting up fail2ban and messing
with iptables rules manually, just use ufw. You're welcome.

~~~
justinhj
Is that a Ubuntu only tool? I'd be hesitant to commit myself to anything that
runs in a single distribution if I can help it. Fail2Ban would work if I
decided to migrate to Centos later down the line.
<https://help.ubuntu.com/community/UFW>

~~~
sturadnidge
It's an Ubuntu only tool in the same way that aptitude and dpkg-reconfigure
are Ubuntu only tools.

The guide is not claiming to be generic, it's totally fair game to use
specific tools imho - especially if they simplify things.

~~~
cbs
>the same way that aptitude and dpkg-reconfigure are Ubuntu only tools.

No. ufw can run on other distros, its just a frontend to iptables. A quick
googling makes it look like its there in Arch repos, you have to compile
yourself on CentOS. I don't know about all distros YMMV.

Even if ufw was Ubuntu specific, it would not be Ubuntu-specific in the _way_
that aptitude and dpkg-reconfigure are. Those tools are Ubuntu specific
because they're specific to that package manager.

And in actuality those tools aren't Ubuntu-only either. apt is the debian
package manager and the tools should be present on any debian-based distro.

~~~
Dylan16807
I'm pretty sure you completely misread that post.

"X is Y the same way that (false statement)" -> X is not Y

~~~
cbs
The number of completely wrong generalizations about distributions I hear by
people being sincere prevents me from reading that as anything but one. People
saying "only Ubuntu X" when they really mean "only debian-based X" is one of
the most common mistakes I hear.

If I did misread it, that's an even worse thing to say. If a person is in the
position of asking if ufw will work on CentOS, it is downright _mean_ to give
an answer that requires them understand esoteric particulars of the debian
bloodline.

~~~
Dylan16807
I don't know if I would call the package management system of debian esoteric
in a conversation comparing distros. I will agree that the wording was a bad
choice.

------
xachen
Might I make one suggestion:

Make sure your SSH port is below 1024 (but still not 22). Reason being if your
Linode is ever compromised a bad user may be able to crash sshd and run their
own rogue sshd as a non root user since your original port is configured
>1024.

~~~
angryasian
thanks for this tip I never realized this. More in the link if interested

[http://unix.stackexchange.com/questions/16564/why-are-the-
fi...](http://unix.stackexchange.com/questions/16564/why-are-the-
first-1024-ports-restricted-to-the-root-user-only)

------
yesimahuman
Thanks for the advice on the out of memory reboot. I probably have Apache
misconfigured, or my app is slowly leaking memory, but I've run into random
downtime and an unresponsive server as apache runs out of memory.

One of the most annoying things I'm running into with Linode and other VPS
services is dealing with my drive running out of space. I've been moving all
my database stuff to Heroku and I'm much happier (plus the automatic backups
are a dream).

------
zoba
I find my Linode really useful for x11 forwarding to use Firefox in public
places, or to get around web filters. Might be worth a mention of how to do
this.

~~~
mratzloff
Write a blog post.

~~~
zoba
Though it is late, and I've been out at bars with friends, I made this for
you:

<http://dzoba.com/?p=182>

~~~
JonnieCache
What is the advantage you see of tunnelling X like that over just tunnelling
the network connections with ssh -D?

~~~
montecarl
Not all of the web browser traffic goes through the tunnel when you set a
proxy in the browser. DNS queries for example do not. Flash programs such as
video players also connect directly to the remote website and do not use the
proxy. If you don't know those two facts you might be leaking way more
information than you want on the local network!

~~~
tomku
Firefox defaults to not proxying DNS, but if you set
"network.proxy.socks_remote_dns" to true in about:config, it will happily do
so for SOCKS proxies. If you use FoxyProxy (which is pretty damn useful if you
proxy over an SSH tunnel regularly), it has a checkbox that enables or
disables it per-proxy.

------
ck2
It is so easy and dangerous to mess up setting the firewall from scratch, why
mess with it.

Use the free, awesome CSF (configserver firewall) instead.

<http://www.configserver.com/cp/csf.html>

------
zdw

        echo /etc/hostname
    

really?

~~~
3pt14159
People make mistakes like this all the time. Obviously he meant to type cat
/etc/hostname

~~~
astrodust
It should be to run the `hostname` command, nothing more.

~~~
feross
Nice. Didn't know about this.

~~~
astrodust
Ironically that command is used to set the hostname but not read it.

Next you'll tell me you don't even know what `uname` does!

~~~
khet
Everyone is learning something here, no need to insult someone because they
might not know something you know. I bet you don't know something he knows.

~~~
astrodust
No room for a bit of sarcasm or smarmy, now is there?

------
zalew
"On Windows, you’ll want to use putty [...] criminals often try to guess the
root password using automated attacks that try many thousands of passwords in
a very short time. This is a common attack that nearly all servers will face."

yet another tutorial I wonder who's the target audience. if somebody doesn't
know the term brute-force or how to open a terminal app and connect with ssh,
IMO they are not supposed to set up their own servery by themselves.

~~~
feross
"they are not supposed to set up their own server..."

What about people setting up a server for the first time? How else are they
supposed to learn?

I built my first site when I was 14 and moved to a VPS when I was 17. Until I
moved to Linode, I never had a reason to open Terminal.

~~~
zalew
> What about people setting up a server for the first time? How else are they
> supposed to learn?

oh wow. well, I'm kind of old fashioned, but maybe they could start with
learning basics of how the internet works, what is ssh, what the hell is
linux, and by then somebody will know why you need to open that wierd terminal
where there is only text and no cute rounded cornered buttons.

I don't get why[1] some tutorials try to cover everything almost from 'first,
turn on your computer' to 'deploy your scalable social dynamic api-driven
mumbo jumbo architecture web app', and there have been a few around here.
there is a place for basic education and there certainly is a place to help
somebody kickstart in a particular tech when he's got the basics covered -
what's the point of mixing the two?

[1] actually I do. clickity click.

~~~
Jgrubb
I'll ask again, Hacker News. I've been on this site for three years. I've
derived an incredible amount of knowledge from just being here and reading.
Lately though, I'm enjoying it a lot less.

I'm not sure if my tolerance for snarky, dipshit comments like this has gone
down lately, or if there are a lot more snarky dipshits on this site now. The
only thing I know is that for some reason I am unable to down vote these
comments - my only active recourse.

Is this a bug or is there some magic karma threshold that I still haven't hit?

~~~
spacemanaki
Well, since you already know about the karma threshold, which is apparently
500 right now (it has risen over time), and you're getting downvoted for
asking about it, let me tell you that downvoting other people isn't all it's
cracked up to be...

Meanwhile, I'll steal this from a real HN veteran... I know there's been a lot
of talk about the quality of comments or about the increased negativity, but I
still really subscribe to this theory, which I take no credit for.

    
    
              Quality of Hacker News Comments Over Time
    
       |                   . .
       |                  .   . 
      q| . .             .     .
      u|    .           .       .               . . .
      a|     .         .          .           .       .
      l|      .       .              .      .           .
      i|       .     .                  . .               .    
      t|        . . .                       you are here -->. .
      y|                                      (that's all)
       |________________________________________________________
        J A S O N D J F M A M J J A S O N D J F M A M J J A S O
    

<http://news.ycombinator.com/item?id=4365778>

~~~
ntumlin
Is there some sort of source on this graph or is it a prove-a-point type
thing. Just wondering, because if there was some way to measure quality of
posts over time (up/down vote ratio?) that would be a really neat metric.

~~~
carbocation
It's a reference to the notion of Eternal September, from usenet lore. To
summarize from memory perhaps incorrectly, usenet used to be great but get
worse qualitatively when school would start in September. Its quality would
increase throughout the year as people learned to communicate appropriately.
One year, however, it just never got better...

~~~
tptacek
... when AOL started offering access to Usenet.

(In reality, Usenet was pretty great through most of the '90s; warez killed
Usenet, not newcomers).

------
mibbitier
My only gripe with linode is that they are unable to handle DoS attacks. If
you're subjected to an attack, your linode will be shut off (null routed) for
24 hours. After that time, they'll check to see if it's still being attacked.

I really think they could do a lot better than that. Apart from that gripe,
they're a great VPS host.

~~~
lsc
What is your suggestion?

sounds like they have a clear policy in place; most places it's a vague
judgment call. But most places will kick any user that gets hit with a DoS
attack that is large enough to disrupt service to other customers.

I mean, I agree that 'finishing the job' and letting the attacker win by null-
routing the target is... a suboptimal way to deal with the problem, but with
pipe-filling attacks? if the attacker can send more bytes than your pipe can
handle, there is really no other realistic way to handle the problem. (I mean,
you can try to trace down the source and call up the ISPs the packets are
coming from, but BCP38 is still not widely implemented, so good luck tracing a
spoofed source more than one or two hops up, and meanwhile, as you are calling
people up and trying to get through to someone skillful enough to figure out
where a spoofed packet is coming from, you are down.)

There are 'clean pipe' services, where someone with a very large pipe says
they will programatically detect and block DoS traffic, then pass along the
good traffic to your (much smaller) pipe, and yes, those services can work
/if/ the service provider has a larger pipe than the attacker. Of course,
buying such a service from a service provider with a sufficiently large pipe
is, as you can imagine, quite expensive. Buying such a service from someone
that has less available bandwidth than your attackers are able to throw at the
problem, of course, is completely useless.

So yeah, uh, assuming you can't afford to be on a 'clean pipe' that is backed
by a huge network, you are much better off with an ISP that proactively shuts
down DoS targets than one that doesn't. Unless, of course, you are a DoS
target.

I mean, the economics of pipe-filling denial of service attacks, right now,
are heavily tilted in favour of the attacker. It is a problem that needs to be
solved, but I don't know how to solve it.

~~~
mibbitier
Other services, for example Amazon ec2, just deal with a DoS, and charge you
for the traffic.

Also, null-routing for 24 hours regardless of if the attack only lasted 2
minutes, is a little silly.

~~~
lsc
in the case where the attack is larger than your provider's pipe, they can't
"just deal with it" - I mean, without blackholing the target IP address. If
your transit ports are full, you are dropping packets. Undoubtedly, this is an
advantage that larger providers (like amazon) have. On the other hand, most
VPS customers would not want to pay $0.13 per gigabyte for DoS traffic.

>Also, null-routing for 24 hours regardless of if the attack only lasted 2
minutes, is a little silly.

It is a rather big deal for a hosting provider to lose connectivity for two
minutes.

------
fluxon
If anybody needs it,
[http://webcache.googleusercontent.com/search?q=cache:feross....](http://webcache.googleusercontent.com/search?q=cache:feross.org/how-
to-setup-your-linode/)

------
ciupicri
ssh-copy-id could be used to copy the SSH key

~~~
feross
FYI, ssh-copy-id isn't available on OS X by default. So, it's easiest to just
do it by hand.

------
taligent
Remind me again why anybody is still using Linode ?

Poor uptime and a disgraceful attitude towards security. ANY service provider
that hides the facts behind major security incidents from their customers
should never be used.

I guess their new customers will soon realise how crappy it feels to find out
from Reddit that your VPS is potentially hacked.

~~~
yoshamano
Who would you suggest then instead of Linode? I was thinking of renting their
smallest one to have something to fart around with.

~~~
MatthewPhillips
Prgrmr.com

~~~
jcoder
Is this a joke? Looks like a malware site.

~~~
Stratoscope
That does look like a malware site. It was a typo. Here's the correct URL:

<http://prgmr.com/>

~~~
krzyk
That one looks quite good, I like the Ascii art design and the "the 64M option
is an 'advanced option' - we don't have any distros setup that work well in 64
megabytes. You can strip down most distros to the point where they will work
well, we just have yet to do so. If you still want to order it, use 'view
source' to find the commented out link. "

