Linode Checklist

More notes. Sorry. 🙂

1. Hostname and TimeZone

Reference: https://www.linode.com/docs/getting-started

Add a line below localhost and ubnutu:

To set timezone:

UI should be straightforward. Use command date to confirm it’s correct.

2. Add User

Reference: https://www.linode.com/docs/security/securing-your-server/

3. Firewall

Reference: https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw

Be sure to allow SSH before activating the firewall, if you happen to be SSH’ing in to it.

4. Fail2Ban

Reference: https://www.linode.com/docs/security/securing-your-server/#installing-and-configuring-fail2ban

Fail2Ban adds IPTABLES entries for denying users that have triggered a ban. Thus, they will be denied access to the server for a period of time.

By default, Fail2Ban is configured to watch/track SSH connection traffic. Fail2Ban can be configured for other services as well.

Fail2Ban plays nice with UFW (both tools manage the IPTABLES). UFW will only its own denied/allowed IPs, so the commands above are required for checking who is denied.

5a. Disable Root Login via SSH

Made the following changes:

5b. Allow SSH only from LAN

Set the ListenAddress to the internal IP (not the public IP).

5c. Remove SSH Server

6a. Install MariaDB

Reference: https://downloads.mariadb.org/mariadb/repositories/#mirror=digitalocean-nyc
Reference: https://www.vultr.com/docs/install-mariadb-on-ubuntu-14-04

Get latest package.

After running mysql_secure_installation, root will only be accessible locally.

6b. Configure MariaDB

Reference: https://www.linode.com/docs/databases/mariadb/mariadb-setup-debian7

To configure:

To enable remote connections, comment out the bind-address line:

To connect to the database.

Users:

Reference: https://mariadb.com/kb/en/mariadb/configuring-mariadb-for-remote-client-access/
Reference: https://www.linode.com/docs/websites/hosting-a-website/#creating-a-database

6c. Optimizing MariaDB

See suggestions here for things inside my.conf you can change:

https://www.linode.com/docs/websites/hosting-a-website/#optimizing-mysql-for-a-linode-1gb

i.e. Lower connections to 75 from 100, max_allowed_packets to 1M from 16M.

There is also an app that can look at logs and things and tell you what you should to to make it run better: mysqltuner

https://www.linode.com/docs/databases/mariadb/mariadb-setup-debian7#tuning-mariadb

Your database should operate for about 24 hours under normal usage for it to make suggestions.

6d. Backups

Reference: http://webcheatsheet.com/sql/mysql_backup_restore.php
Reference: http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html
A script with some nice ideas: http://www.docplanet.org/linux/backing-up-linux-web-server-live-via-ssh/

7. Litespeed

Reference: https://www.digitalocean.com/community/tutorials/how-to-install-the-openlitespeed-web-server-on-ubuntu-14-04
Reference: https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-openlitespeed-on-ubuntu-14-04

Latest version: http://open.litespeedtech.com/mediawiki/index.php/Downloads

Litespeed is now installed in /usr/local/lsws.

7b. OpenLiteSpeed on ARM

This is something I got working with a bit of know-how.

Now, before you build, you need to edit a file “include/ls_atomic.h“.

8a. Install PHP 7

The latest version as of this writing is PHP7.0.0RC4. The build scripts are unable to fetch the RC builds, so you can manually fetch them as follows:

Now, build PHP 7 inside the UI.

NOTE: php.ini may not be copied, so you can acquire the file as follows:

8b. PHP 7 Extensions

To use PHPiz, you need autoconf.

GD: already installed (built-in)

APCu (branch): https://github.com/krakjoe/apcu/tree/seven

Imagick (branch) or Gmagick: https://github.com/mkoppanen/imagick/tree/phpseven

9. Web Server Configuration

Under General->Index Files, add index.php.

Under External App, click Edit.

To correctly handle CloudFlare’s IP proxying in LiteSpeed, you need to set General Settings->Use Client IP in Header to either YES or Trusted IP Only.

If using Trusted IPs Only, under Security->Access Control, set the Allowed List to:

This will change the server PHP variable $_SERVER [‘REMOTE_ADDR’] from the CloudFlare IP to your IP. $_SERVER [‘PROXY_REMOTE_ADDR’] will now contain the CloudFlare IP.

IPs sourced from here: https://www.cloudflare.com/ips

Adding a trailing T marks them as trusted.

Add a Listener, Port 443, Secure YES. Add a Virtual Host Mapping to it.

Under SSL, set the Private Key File (something.key), Certificate File (something.crt), and the CA Certificate File (ca.pem). HTTPS will not work until you do this.

Use Listener->IP Address of [ALL] IPv6 to allow incoming connections over both IPv4 and IPv6. This may require a few soft resets to kick in properly (Dashboard was reporting a listener failure for me, until I reset it).