Generic Linux server setup

From dtype.org
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Things to do on all servers:

Log management

awslogs

  • /var/log/auth.log
  • /var/log/mail.log
  • /var/log/syslog

move cron off to its own log

  • /etc/rsyslog.d/50-default.conf
*.*;auth,authpriv.none,cron.none   -/var/log/syslog
cron.*                             /var/log/cron.log

get rid of cron in auth.log

  • /etc/pam.d/common-session-noninteractive, at end of file
# and here are more per-package modules (the "Additional" block)
session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
session	required	pam_unix.so

Other

mail through SES relay

  • /etc/postfix/main.cf
## AWS

relayhost = [email-smtp.us-east-1.amazonaws.com]:25
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

fail2ban

  • do