VPS Survival Guide ################## Running an unconstrained node on the public Internet is tricky and an invitation to pwnage. .. note:: I would like to endorse a VPS hosting firm called TNA Hosting [#]_. They are a small shop with really great deals, solid uptime, and no mandatory intrusion policy. As of this writing, my link below can lead to $25/year KVM nodes and other good stuff. .. [#] https://tnahosting.net/billing/aff.php?aff=168 Email security ============== DKIM ---- A DKIM record authenticates messages originating from the domain. * Install opendkim. .. code-block:: bash # For Debian-alike apt-get install opendkim opendkim-tools # For modern RHEL-alike dnf install opendkim # For older RHEL-alike yum install opendkim .. * Generate DKIM keys * The keys will be in */etc/opendkim/keys* . * The mapping of keys should be correct in */etc/opendkim/keytable* and */etc/opendkim/signingtable* . .. code-block:: bash opendkim-default-keygen .. * Push the DKIM key to your DNS zone file as a TXT record. +-------+-----------------------------------+ | Name | mail._domainkey | +-------+-----------------------------------+ | Type | TXT | +-------+-----------------------------------+ | TTL | | +-------+-----------------------------------+ | Value | v=DKIM; k=rsa256; p= | +-------+-----------------------------------+ * Check */etc/opendkim.conf* * mode should be "sv" * note the port specified in the socket definition, such as `inet:8891@localhost` . * Activate opendkim .. code-block:: bash systemctl enable opendkim systemctl restart opendkim .. * Configure your mail agent (Qmail/Postfix) to use DKIM (see below). SPF --- An SPF record lists who is allowed to send mail for your domain. It is a DNS record of type TXT. * A basic SPF record allowing anything in your MX list to send. .. code-block:: v=spf1 mx a -all .. * Letting Google do your dirty work. .. code-block:: v=spf1 include:_spf.google.com ~all .. * Same with Zoho. .. code-block:: v=spf1 include:zoho.com ~all .. Postfix ------- * Set opendkim as a mail filter .. code-block:: ini smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = inet:127.0.0.1:8891 .. Qmail ----- Network security ================ Openssh ------- * Install Openssh. .. code-block:: bash # For Debian-alike apt-get install openssh-server # For modern RHEL-alike dnf install openssh-server # For older RHEL-alike yum install openssh-server # Your system will have SSH either as "ssh" or "sshd" systemctl enable sshd ssh systemctl start sshd ssh .. * *hosts.allow* lists authorized TCP connection sources .. code-block:: ini # Local addresses ALL: LOCAL # Every host in your external domain ALL: .mydomain.org # Every host in your internal domain ALL: .local.mydomain.org # The host with IP x.x.x.x ALL: x.x.x.x .. * *hosts.deny* lists forbidden TCP connection sources .. code-block:: ini # Ban everything not allowed in hosts.allow ALL: ALL # Replace it with this if you want to ban any IP-hostname mismatch # ALL: PARANOID .. Fail2ban and SSH ---------------- So, you installed *fail2ban*, which means your troubles are over, right? The SSH state is off by default. Create */etc/fail2ban/jail.d/22-sshd.conf* as follows... .. code-block:: ini :linenos: [sshd] enabled = true port = ssh maxretry = 2 bantime = 864000 banaction = nftables-allports # If using iptables, comment the previous line and uncomment the next. #banaction = iptables-allports .. GEOIP ipsets and firewalld -------------------------- This script will configure firewalld to block entire countries. This will only control your level of logspam, not your residual risk from technical controls! :download:`Download blocknets.sh ` .. literalinclude:: code_samples/blocknets.sh :linenos: :language: bash .. My zoneurls.txt contains the high-density sources for the bots in my logs. Add or subtract countries as you see fit. :download:`Download zoneurls.txt ` .. literalinclude:: code_samples/zoneurls.txt :linenos: :language: html ..