More notes. Sorry. 🙂
1. Hostname and TimeZone
Reference: https://www.linode.com/docs/getting-started
Add a line below localhost and ubnutu:
To set timezone:
UI should be straightforward. Use command date to confirm it’s correct.
2. Add User
Reference: https://www.linode.com/docs/security/securing-your-server/
3. Firewall
Reference: https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw
Be sure to allow SSH before activating the firewall, if you happen to be SSH’ing in to it.
4. Fail2Ban
Reference: https://www.linode.com/docs/security/securing-your-server/#installing-and-configuring-fail2ban
Fail2Ban adds IPTABLES entries for denying users that have triggered a ban. Thus, they will be denied access to the server for a period of time.
By default, Fail2Ban is configured to watch/track SSH connection traffic. Fail2Ban can be configured for other services as well.
Fail2Ban plays nice with UFW (both tools manage the IPTABLES). UFW will only its own denied/allowed IPs, so the commands above are required for checking who is denied.
5a. Disable Root Login via SSH
Made the following changes:
5b. Allow SSH only from LAN
Set the ListenAddress to the internal IP (not the public IP).
5c. Remove SSH Server
6a. Install MariaDB
Reference: https://downloads.mariadb.org/mariadb/repositories/#mirror=digitalocean-nyc
Reference: https://www.vultr.com/docs/install-mariadb-on-ubuntu-14-04
Get latest package.
After running mysql_secure_installation, root will only be accessible locally.
6b. Configure MariaDB
Reference: https://www.linode.com/docs/databases/mariadb/mariadb-setup-debian7
To configure:
To enable remote connections, comment out the bind-address line:
To connect to the database.
Users:
Reference: https://mariadb.com/kb/en/mariadb/configuring-mariadb-for-remote-client-access/
Reference: https://www.linode.com/docs/websites/hosting-a-website/#creating-a-database
6c. Optimizing MariaDB
See suggestions here for things inside my.conf you can change:
https://www.linode.com/docs/websites/hosting-a-website/#optimizing-mysql-for-a-linode-1gb
i.e. Lower connections to 75 from 100, max_allowed_packets to 1M from 16M.
There is also an app that can look at logs and things and tell you what you should to to make it run better: mysqltuner
https://www.linode.com/docs/databases/mariadb/mariadb-setup-debian7#tuning-mariadb
Your database should operate for about 24 hours under normal usage for it to make suggestions.
6d. Backups
Reference: http://webcheatsheet.com/sql/mysql_backup_restore.php
Reference: http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html
A script with some nice ideas: http://www.docplanet.org/linux/backing-up-linux-web-server-live-via-ssh/
7. Litespeed
Latest version: http://open.litespeedtech.com/mediawiki/index.php/Downloads
Litespeed is now installed in /usr/local/lsws.
7b. OpenLiteSpeed on ARM
This is something I got working with a bit of know-how.
Now, before you build, you need to edit a file “include/ls_atomic.h“.
8a. Install PHP 7
The latest version as of this writing is PHP7.0.0RC4. The build scripts are unable to fetch the RC builds, so you can manually fetch them as follows:
Now, build PHP 7 inside the UI.
NOTE: php.ini may not be copied, so you can acquire the file as follows:
8b. PHP 7 Extensions
To use PHPiz, you need autoconf.
GD: already installed (built-in)
APCu (branch): https://github.com/krakjoe/apcu/tree/seven
Imagick (branch) or Gmagick: https://github.com/mkoppanen/imagick/tree/phpseven
9. Web Server Configuration
Under General->Index Files, add index.php.
Under External App, click Edit.
To correctly handle CloudFlare’s IP proxying in LiteSpeed, you need to set General Settings->Use Client IP in Header to either YES or Trusted IP Only.
If using Trusted IPs Only, under Security->Access Control, set the Allowed List to:
This will change the server PHP variable $_SERVER [‘REMOTE_ADDR’] from the CloudFlare IP to your IP. $_SERVER [‘PROXY_REMOTE_ADDR’] will now contain the CloudFlare IP.
IPs sourced from here: https://www.cloudflare.com/ips
Adding a trailing T marks them as trusted.
Add a Listener, Port 443, Secure YES. Add a Virtual Host Mapping to it.
Under SSL, set the Private Key File (something.key), Certificate File (something.crt), and the CA Certificate File (ca.pem). HTTPS will not work until you do this.
Use Listener->IP Address of [ALL] IPv6 to allow incoming connections over both IPv4 and IPv6. This may require a few soft resets to kick in properly (Dashboard was reporting a listener failure for me, until I reset it).