User:PMay/Hetzner.de vServer Setup

From ArchWiki
Jump to: navigation, search

This guide is about how to install Arch on a vServer hosted by hetzner.de. The guide is still in development and not complete.

btrfs

 # dd if=/dev/zero of=~/part bs=1024 count=2000000
 # mkfs.btrfs -L mybtrfs ~/part
 # mkdir /mnt/mybtrfs
 # mount /root/part /mnt/mybtrfs

Backup

 # export FTP_PASSWORD=<my_password>
 # export PASSPHRASE=<my_passphrase>
 # duplicity --verbosity 9 --ssl-no-check-certificate . webdavs://<my_e-mail>@dav.box.com/dav/backup
 -
 - Errormessage:
 Import of duplicity.backends.dpbxbackend Failed: No module named dropbox

more packages to install

 # pacman -S net-tools

network

 # systemctl enable network@ens3.service
  • edit /etc/resolv.conf to setup name server (see same file from old debian installation for proper values)

sshd

 # systemctl enable sshd.service

activate swap partition

 # mkswap /dev/sda1
 # swapon /dev/sda1
File: /etc/fstab
/dev/sda1           	none      	swap      	defaults  	0 0

LAMP

 #  pacman -S apache php php-apache mariadb

Apache

Apache Security

  • disable all auth modules but not mod_authz_host.so
  • disable all proxy modules
  • disable mod_autoindex.so
  • disable mod_info.so
  • removed Include conf/extra/httpd-autoindex.conf

MariaDB

  • login to DB
 # mysql -u root -p
 CREATE USER 'wp'@'localhost' IDENTIFIED BY 'somepassword';
 CREATE DATABASE wp_db;
 GRANT ALL PRIVILEGES ON wp_db.* TO 'wp'@'localhost';

Idears / ToDo

  • use btrfs to make snapshots for recovery - but use ro now rw snapshots (tip from irc - whatever that means)
  • port 5060 (sip) scheint offen zu sein
  • remove these messages vom apache: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.1e DAV/2 PHP/5.5.6
  • check if these settings are all right: php_admin_value open_basedir
  • Zeitzone setzen
  • Zeitserver client aufsetzen http://wiki.hetzner.de/index.php/Uhrzeit_synchronisieren_mit_NTP
  • Forward-Secrecy: http://www.heise.de/newsticker/meldung/Auch-Twitter-steigt-auf-Forward-Secrecy-um-2053135.html
  • FollowSymLinks bei apache aus
  • edit /etc/httpd/conf/extra/httpd-default.conf
  • edit open_basedir = /srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/ in php.ini
  • ich wuerde von dem verlinkten wiki abraten, die leute in #postfix waren ziemlich entsetzt als sie das gesehen haben, vor allem das 'relay_domains = *'

ownCloud

Notes

  • see what daemons are listening on what ports
 # netstat -tuple
 # ss -l
  • show the state of a running deamon and its last log output
 # systemctl status <deamon_name>