User:PMay/Hetzner.de vServer Setup

This guide is about how to install Arch on a vServer hosted by hetzner.de. The guide is still in development and not complete.

btrfs

 # dd if=/dev/zero of=~/part bs=1024 count=2000000
 # mkfs.btrfs -L mybtrfs ~/part
 # mkdir /mnt/mybtrfs
 # mount /root/part /mnt/mybtrfs

Backup

 # export FTP_PASSWORD=<my_password>
 # export PASSPHRASE=<my_passphrase>
 # duplicity --verbosity 9 --ssl-no-check-certificate . webdavs://<my_e-mail>@dav.box.com/dav/backup
 -
 - Errormessage:
 Import of duplicity.backends.dpbxbackend Failed: No module named dropbox

more packages to install

 # pacman -S net-tools

network

• also see en:Network Configuration or en:Network Configuration#Static IP address
• proper values forIP adress and so on can be found from old debian installation at /etc/network/interfaces
• create and edit /etc/conf.d/network@ens3
• create and edit /etc/systemd/system/network@.service (without ens3 after @)

 # systemctl enable network@ens3.service

• edit /etc/resolv.conf to setup name server (see same file from old debian installation for proper values)

sshd

• see also en:Secure Shell
• install openssh wih pacman
• enable it:

 # systemctl enable sshd.service

activate swap partition

 # mkswap /dev/sda1
 # swapon /dev/sda1

File: /etc/fstab

/dev/sda1           	none      	swap      	defaults  	0 0

LAMP

 #  pacman -S apache php php-apache mariadb

Apache

Apache Security

• disable all auth modules but not mod_authz_host.so
• disable all proxy modules
• disable mod_autoindex.so
• disable mod_info.so
• removed Include conf/extra/httpd-autoindex.conf

MariaDB

• login to DB

 # mysql -u root -p

 CREATE USER 'wp'@'localhost' IDENTIFIED BY 'somepassword';
 CREATE DATABASE wp_db;
 GRANT ALL PRIVILEGES ON wp_db.* TO 'wp'@'localhost';

Idears / ToDo

• use btrfs to make snapshots for recovery - but use ro now rw snapshots (tip from irc - whatever that means)
• port 5060 (sip) scheint offen zu sein
• remove these messages vom apache: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.1e DAV/2 PHP/5.5.6
• check if these settings are all right: php_admin_value open_basedir
• Zeitzone setzen
• Zeitserver client aufsetzen http://wiki.hetzner.de/index.php/Uhrzeit_synchronisieren_mit_NTP
• Forward-Secrecy: http://www.heise.de/newsticker/meldung/Auch-Twitter-steigt-auf-Forward-Secrecy-um-2053135.html
• FollowSymLinks bei apache aus
• edit /etc/httpd/conf/extra/httpd-default.conf
• edit open_basedir = /srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/ in php.ini
• ich wuerde von dem verlinkten wiki abraten, die leute in #postfix waren ziemlich entsetzt als sie das gesehen haben, vor allem das 'relay_domains = *'

ownCloud

• Owncloud#Self-signed_certificate_not_accepted

Notes

• see what daemons are listening on what ports

 # netstat -tuple
 # ss -l

• show the state of a running deamon and its last log output

 # systemctl status <deamon_name>