Howto install and prepare a Linux server instance with Zesle
A: Follow the minimal steps below to prepare your instance, install Zesle and harden it's security. SSH into the instance with an account that has root level privileges.
Update system.
apt-get update
Upgrade system (optional, risky)
apt-get -y upgrade && apt-get -y full-upgrade
Install programs.
apt-get install curl - required for Zesle.
apt-get install nmap
apt-get install htop
apt-get install dig
apt-get install ntp
Set timezone. (optional)
timedatectl set-ntp on
timedatectl set-timezone UTC
Install Zesle.
cd /home && sudo curl -o latest -L http://zeslecp.com/release/latest && sudo sh latest
Run update.
apt-get update
Install firewall.
apt-get install ufw
ufw status numbered
ufw allow 22
ufw allow 80
ufw allow 443
ufw allow 2078 (Zesle port)
ufw enable
In Zesle, first create SSH keys in the admin panel. Then proceed, disabling password login:
vi /etc/ssh/sshd_config
PasswordAuthentication no
systemctl reload sshd
More security hardening.
vi /etc/fstab
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
Sample config for hardening:
vi /etc/sysctl.conf
#IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
#Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
#Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
#Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
#Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
#Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
Run update.
apt-get update
Do nmap scan.
nmap -A -v IP
See last 100 lines of journal.
journalctl -n 100
OK? then clean and exit.
history -c
Proceed logging into your Zesle account and manage the server from there.