INCLUDE_DATA

Up and running with Ubuntu, Ruby on Rails, thin, Nginx from scratch

May 31st, 2008 — Rails

My current most favourite hosting company is slicehost. When I start a new slice, I choose Ubuntu and get a shiny new virtual server with the default Ubuntu installation. Starting with that default installation, this step-by-step guide will give you a secure server with all the goodies mentioned above.

This example here is using Ubuntu 8.04.

1. Update your distro

[-]View Code BASH
sudo apt-get dist-upgrade

2. First things first, secure the server
ssh config:

[-]View Code BASH
sudo vi /etc/ssh/sshd_config

This is what I recommend:

  • Port: change to some port above 9000. That makes it just a bit more difficult to probe the server.
  • PermitRootLogin: change to no. You don’t ever want to login as root anyway. Login as a user and sudo instead.
  • LoginGraceTime: change to 20. That should be more than enough time for anyone to login.
  • RSAAuthentication: change to yes, so that you can use password-less logins using keys (nice when using Capistrano)
  • AllowUsers: you need to add this setting. Add account names of accounts that are allowed to login. Only users listed here will be able to login. Highly recommended.

Next, restart the ssh daemon, and test that you can still login. DO NOT LOG OFF UNLESS YOU HAVE TESTED THAT YOU CAN LOGIN FIRST :D. So, while still logged in, open another terminal and type:

ssh -p port_that_you_chose_above username@servername_or_ip_address

If all’s good, ssh configuration is complete.

Bastille Linux
This little gem is one of the most useful I know. It ensures that your server’s security is nice and tight.

sudo apt-get install bastille
sudo InteractiveBastille

Now just follow the instructions one by one, answering one question at a time. Make sure you also answer the firewall questions, and to enable it. When it’s all said and done, you’ll have a nice secure server.

3. Install build-essentials, and linux headers
We’ll need to be able to compile things, so we need this package. Note: some people believe that installing compilers on a production machine is an insecure practice, as it allows a potential hacker to compile their own attack binaries on the machine. If this is the case for you, do not install the package, and compile the binaries on another machine, then copy them to the proper locations on your production machine. We will be tightening security pretty nicely, so it is my opinion that this is not a big deal.

[-]View Code BASH
sudo apt-get install build-essential
sudo apt-get install linux-headers-

4. Now, let’s start by installing ruby and rubygems

[-]View Code BASH
sudo apt-get install ruby
sudo apt-get install rubygems

To be continued …

2 Comments