[sakukra] さくらの専用サーバーを借りたのでセットアップ
sshの鍵を登録する
$ ssh-copy-id -i ~/.ssh/id_rsa admin@#{ip_address}
セキュリティの確認
# /sbin/iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # cat /etc/hosts.allow # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # cat /etc/hosts.deny # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap!
あまりにもひどすぎる...orz
iptablesの設定
こんなスクリプトを用意
#!/bin/sh #ルールのクリアー /etc/rc.d/init.d/iptables stop # ポリシーの設定 iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # ループバックのアクセス許可 iptables -A INPUT -i lo -j ACCEPT # 全てのリプライの許可 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # マルチキャストへの応答許否 #iptables -A INPUT -d 255.255.255.255 -j DROP iptables -A INPUT -d 224.0.0.1 -j DROP # ping of death 対策 iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/m --limit\ -burst 60 -j ACCEPT # HTTPとHTTPS+αを許可 iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 10080 -j ACCEPT # FTP iptables -A INPUT -p tcp --dport 21 -j ACCEPT # SMTP、POP #iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 587 -j ACCEPT iptables -A INPUT -p tcp --dport 110 -j ACCEPT # SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT /etc/init.d/iptables save /etc/init.d/iptables start
そして実行
# ./iptables.sh Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Saving firewall rules to /etc/sysconfig/iptables: [ OK ] Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] # iptables -L ]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere ALL-SYSTEMS.MCAST.NET ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/min burst 60 ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:amanda ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:submission ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
管理用ユーザーを登録する
# useradd #{username}
# passwd #{username}管理用ユーザーにもssh鍵認証できるようにする
localhost $ ssh-copy-id -i ~/.ssh/id_rsa #{username}@#{ip_address}
鍵認証のみ可能にする
これをやる前に一回鍵認証でログインできるか確かめておく。
失敗したら二度とログインができなくなるので注意
# vi /etc/ssh/sshd_config 58行目: # PasswordAuthentication yes ↓ 58行目: PasswordAuthentication no //再起動 # /etc/init.d/sshd restart
centosplusとcontribと使えるようにする
# cd /etc/yum.repos.d/ # vi CentOS-Base.repo 59行目: enabled=0 ↓ 59行目: enabled=1 70行目: enabled=0 ↓ 70行目: enabled=1
とりあえずアップデートをかける
# yum update
centostestingでruby(他)のバージョンをあげる
# cd /etc/yum.repos.d/ # wget http://dev.centos.org/centos/4/CentOS-Testing.repo # yum --enablerepo=c4-testing update
subversionをインストール
# wget -r -A .rpm -l 1 http://summersoft.fay.ar.us/pub/subversion/latest/rhel-4/i386/ # cd summersoft.fay.ar.us/pub/subversion/latest/rhel-4/i386/ # rpm -Uvh *
/etc以下をsubversionで管理する
# mkdir -p /var/svn/etc # svnadmin create --fs-type fsfs /var/svn/etc # cd /etc # svn import file:///var/svn/etc -m "initial import" # cd .. # mv etc etc.old # svn co file:///var/svn/etc etc # chmod 400 /etc/ssh/*key # chmod 440 /etc/sudoers //念のためrootログインしたセッションは残したままで別の端末エミュレーターを立ち上げsshログイン→rootになれるまで確認する