Generic Linux server setup: Difference between revisions

From dtype.org
No edit summary
(mail config)
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
Things to do on all servers:
Things to do on all servers:
= Log management =


== awslogs ==
== awslogs ==
Line 21: Line 23:
session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
session required pam_unix.so</nowiki>
session required pam_unix.so</nowiki>
= Other =
== mail through SES relay ==
* /etc/postfix/main.cf
<nowiki>## AWS
relayhost = [email-smtp.us-east-1.amazonaws.com]:25
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt</nowiki>


== fail2ban ==
== fail2ban ==


* do
* do

Latest revision as of 17:13, 23 April 2017

Things to do on all servers:

Log management

awslogs

  • /var/log/auth.log
  • /var/log/mail.log
  • /var/log/syslog

move cron off to its own log

  • /etc/rsyslog.d/50-default.conf
*.*;auth,authpriv.none,cron.none   -/var/log/syslog
cron.*                             /var/log/cron.log

get rid of cron in auth.log

  • /etc/pam.d/common-session-noninteractive, at end of file
# and here are more per-package modules (the "Additional" block)
session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
session	required	pam_unix.so

Other

mail through SES relay

  • /etc/postfix/main.cf
## AWS

relayhost = [email-smtp.us-east-1.amazonaws.com]:25
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

fail2ban

  • do