new deploy: 2022-09-12T10:31:15+00:00
This commit is contained in:
parent
c80f0fc69e
commit
4dc57a13ad
16 changed files with 237 additions and 167 deletions
|
@ -405,10 +405,9 @@ but knowing how to do it manually using industry standard
|
|||
technologies always helps!</p>
|
||||
<p>We will be using the following technologies to deploy our website:</p>
|
||||
<ol>
|
||||
<li>GNU/Linux server(Debian)</li>
|
||||
<li>Nginx (webs server)</li>
|
||||
<li>Let's Encrypt (for HTTPS)</li>
|
||||
<li>Gitea (but any Git hosting works)</li>
|
||||
<li><a href="https://debian.org">GNU/Linux server(Debian)</a></li>
|
||||
<li><a href="https://www.nginx.com/">Nginx</a> (webs server)</li>
|
||||
<li><a href="https://letsencrypt.org/">Let's Encrypt</a> (for HTTPS)</li>
|
||||
</ol>
|
||||
<p>Let's get started!</p>
|
||||
<h2 id="1-setup-debian-gnu-linux">1. Setup Debian GNU/Linux<a class="zola-anchor" href="#1-setup-debian-gnu-linux" aria-label="Anchor link for: 1-setup-debian-gnu-linux"
|
||||
|
@ -439,25 +438,32 @@ from a lower-privileged account. Let's make our account sudo capable:</p>
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>Uncomplicated Firewall(<code>ufw</code>) is a popular firewall that is easy to
|
||||
set up and maintain. For most installations, this should be enough.
|
||||
System administrators use firewalls to open only the ports that they
|
||||
think should receive traffic from external networks. Without it, all
|
||||
ports will be open, causing a security nightmare.</p>
|
||||
<p><a href="https://wiki.ubuntu.com/UncomplicatedFirewall">Uncomplicated
|
||||
Firewall(<code>ufw</code>)</a> is a
|
||||
popular firewall that is easy to set up and maintain. For most
|
||||
installations, this should be enough. System administrators use
|
||||
firewalls to open only the ports that they think should receive traffic
|
||||
from external networks. Without it, all ports will be open, causing a
|
||||
security nightmare.</p>
|
||||
<p>We will require standard SSH (22), and the standard web ports (80 and
|
||||
443). A comprehensive list of services and the list of ports the listen
|
||||
on is available at `/etc/services.</p>
|
||||
<pre data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt "><code class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt" data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt"><span>install ufw # we are using `ufw` for the firewall
|
||||
</span><span>$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
|
||||
</span><span>$ sudo ufw enable # deploy firewall
|
||||
on is available at <code>/etc/services</code>.</p>
|
||||
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo apt update && </span><span style="color:#bf616a;">apt</span><span> upgrade </span><span style="color:#65737e;"># update system
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo apt install ufw </span><span style="color:#65737e;"># we are using `ufw` for the firewall
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw allow ssh </span><span style="color:#65737e;"># allow SSH traffic on port 22, required to log into the server
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw enable </span><span style="color:#65737e;"># deploy firewall
|
||||
</span></code></pre>
|
||||
<h3 id="1-3-secure-ssh">1.3) Secure SSH<a class="zola-anchor" href="#1-3-secure-ssh" aria-label="Anchor link for: 1-3-secure-ssh"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted
|
||||
channels. By default, users can log in with their password
|
||||
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.</p>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted channels.
|
||||
By default, users can log in with their password using SSH. But password
|
||||
authentication <a href="https://wiki.archlinux.org/title/OpenSSH#Protecting_against_brute_force_attacks">is susceptible to brute force
|
||||
attacks</a>,
|
||||
so we should <a href="https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication">disable password logins on our server and only allow
|
||||
public-key authentication
|
||||
only</a>.</p>
|
||||
<h3 id="1-3-1-generate-key-pair">1.3.1) Generate key pair<a class="zola-anchor" href="#1-3-1-generate-key-pair" aria-label="Anchor link for: 1-3-1-generate-key-pair"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -525,7 +531,10 @@ the server, let's disable password authentication on the server:</p>
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>We will be using <code>fail2ban</code> for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.</p>
|
||||
<p>We will be using
|
||||
<a href="https://www.fail2ban.org/wiki/index.php/Main_Page"><code>fail2ban</code></a> for
|
||||
intrusion prevention by blacklisting entities (users, bots, etc.) based
|
||||
on failed login attempts.</p>
|
||||
<h4 id="1-3-1-install-fail2ban">1.3.1) Install <code>fail2ban</code><a class="zola-anchor" href="#1-3-1-install-fail2ban" aria-label="Anchor link for: 1-3-1-install-fail2ban"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -709,7 +718,8 @@ authority to get our SSL certificates.</p>
|
|||
will have to log in every three months and renew the
|
||||
certificate. If you fail or forget it, your visitors will see security
|
||||
warnings on your website.</p>
|
||||
<p>Thankfully, Let's Encrypt provides automation through <code>certbot</code></p>
|
||||
<p>Thankfully, there is a way to automate this process through
|
||||
<a href="https://certbot.eff.org/"><code>certbot</code></a></p>
|
||||
<h4 id="2-3-1-install-certbot">2.3.1) Install <code>certbot</code>:<a class="zola-anchor" href="#2-3-1-install-certbot" aria-label="Anchor link for: 2-3-1-install-certbot"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -760,7 +770,7 @@ you.</p>
|
|||
|
||||
<a class="blog__post-tag" href="/tags/jamstack">#JAMStack</a>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/git">#git</a>
|
||||
<a class="blog__post-tag" href="/tags/lets-encrypt">#lets-encrypt</a>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/self-hosting">#self-hosting</a>
|
||||
|
||||
|
|
|
@ -19,10 +19,9 @@ but knowing how to do it manually using industry standard
|
|||
technologies always helps!</p>
|
||||
<p>We will be using the following technologies to deploy our website:</p>
|
||||
<ol>
|
||||
<li>GNU/Linux server(Debian)</li>
|
||||
<li>Nginx (webs server)</li>
|
||||
<li>Let's Encrypt (for HTTPS)</li>
|
||||
<li>Gitea (but any Git hosting works)</li>
|
||||
<li><a href="https://debian.org">GNU/Linux server(Debian)</a></li>
|
||||
<li><a href="https://www.nginx.com/">Nginx</a> (webs server)</li>
|
||||
<li><a href="https://letsencrypt.org/">Let's Encrypt</a> (for HTTPS)</li>
|
||||
</ol>
|
||||
<p>Let's get started!</p>
|
||||
<h2 id="1-setup-debian-gnu-linux">1. Setup Debian GNU/Linux<a class="zola-anchor" href="#1-setup-debian-gnu-linux" aria-label="Anchor link for: 1-setup-debian-gnu-linux"
|
||||
|
@ -53,25 +52,32 @@ from a lower-privileged account. Let's make our account sudo capable:<&#
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>Uncomplicated Firewall(<code>ufw</code>) is a popular firewall that is easy to
|
||||
set up and maintain. For most installations, this should be enough.
|
||||
System administrators use firewalls to open only the ports that they
|
||||
think should receive traffic from external networks. Without it, all
|
||||
ports will be open, causing a security nightmare.</p>
|
||||
<p><a href="https://wiki.ubuntu.com/UncomplicatedFirewall">Uncomplicated
|
||||
Firewall(<code>ufw</code>)</a> is a
|
||||
popular firewall that is easy to set up and maintain. For most
|
||||
installations, this should be enough. System administrators use
|
||||
firewalls to open only the ports that they think should receive traffic
|
||||
from external networks. Without it, all ports will be open, causing a
|
||||
security nightmare.</p>
|
||||
<p>We will require standard SSH (22), and the standard web ports (80 and
|
||||
443). A comprehensive list of services and the list of ports the listen
|
||||
on is available at `/etc/services.</p>
|
||||
<pre data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt "><code class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt" data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt"><span>install ufw # we are using `ufw` for the firewall
|
||||
</span><span>$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
|
||||
</span><span>$ sudo ufw enable # deploy firewall
|
||||
on is available at <code>/etc/services</code>.</p>
|
||||
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo apt update &amp;&amp; </span><span style="color:#bf616a;">apt</span><span> upgrade </span><span style="color:#65737e;"># update system
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo apt install ufw </span><span style="color:#65737e;"># we are using `ufw` for the firewall
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw allow ssh </span><span style="color:#65737e;"># allow SSH traffic on port 22, required to log into the server
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw enable </span><span style="color:#65737e;"># deploy firewall
|
||||
</span></code></pre>
|
||||
<h3 id="1-3-secure-ssh">1.3) Secure SSH<a class="zola-anchor" href="#1-3-secure-ssh" aria-label="Anchor link for: 1-3-secure-ssh"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted
|
||||
channels. By default, users can log in with their password
|
||||
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.</p>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted channels.
|
||||
By default, users can log in with their password using SSH. But password
|
||||
authentication <a href="https://wiki.archlinux.org/title/OpenSSH#Protecting_against_brute_force_attacks">is susceptible to brute force
|
||||
attacks</a>,
|
||||
so we should <a href="https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication">disable password logins on our server and only allow
|
||||
public-key authentication
|
||||
only</a>.</p>
|
||||
<h3 id="1-3-1-generate-key-pair">1.3.1) Generate key pair<a class="zola-anchor" href="#1-3-1-generate-key-pair" aria-label="Anchor link for: 1-3-1-generate-key-pair"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -139,7 +145,10 @@ the server, let's disable password authentication on the server:</p
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>We will be using <code>fail2ban</code> for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.</p>
|
||||
<p>We will be using
|
||||
<a href="https://www.fail2ban.org/wiki/index.php/Main_Page"><code>fail2ban</code></a> for
|
||||
intrusion prevention by blacklisting entities (users, bots, etc.) based
|
||||
on failed login attempts.</p>
|
||||
<h4 id="1-3-1-install-fail2ban">1.3.1) Install <code>fail2ban</code><a class="zola-anchor" href="#1-3-1-install-fail2ban" aria-label="Anchor link for: 1-3-1-install-fail2ban"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -323,7 +332,8 @@ authority to get our SSL certificates.</p>
|
|||
will have to log in every three months and renew the
|
||||
certificate. If you fail or forget it, your visitors will see security
|
||||
warnings on your website.</p>
|
||||
<p>Thankfully, Let's Encrypt provides automation through <code>certbot</code></p>
|
||||
<p>Thankfully, there is a way to automate this process through
|
||||
<a href="https://certbot.eff.org/"><code>certbot</code></a></p>
|
||||
<h4 id="2-3-1-install-certbot">2.3.1) Install <code>certbot</code>:<a class="zola-anchor" href="#2-3-1-install-certbot" aria-label="Anchor link for: 2-3-1-install-certbot"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
|
|
@ -265,8 +265,8 @@ general development ecosystem" />
|
|||
>#JAMStack</a
|
||||
>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/git"
|
||||
>#git</a
|
||||
<a class="blog__post-tag" href="/tags/lets-encrypt"
|
||||
>#lets-encrypt</a
|
||||
>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/self-hosting"
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -29,10 +29,10 @@
|
|||
<loc>https://librepages.org/tags/bare-metal/</loc>
|
||||
</url>
|
||||
<url>
|
||||
<loc>https://librepages.org/tags/git/</loc>
|
||||
<loc>https://librepages.org/tags/jamstack/</loc>
|
||||
</url>
|
||||
<url>
|
||||
<loc>https://librepages.org/tags/jamstack/</loc>
|
||||
<loc>https://librepages.org/tags/lets-encrypt/</loc>
|
||||
</url>
|
||||
<url>
|
||||
<loc>https://librepages.org/tags/nginx/</loc>
|
||||
|
|
|
@ -19,10 +19,9 @@ but knowing how to do it manually using industry standard
|
|||
technologies always helps!</p>
|
||||
<p>We will be using the following technologies to deploy our website:</p>
|
||||
<ol>
|
||||
<li>GNU/Linux server(Debian)</li>
|
||||
<li>Nginx (webs server)</li>
|
||||
<li>Let's Encrypt (for HTTPS)</li>
|
||||
<li>Gitea (but any Git hosting works)</li>
|
||||
<li><a href="https://debian.org">GNU/Linux server(Debian)</a></li>
|
||||
<li><a href="https://www.nginx.com/">Nginx</a> (webs server)</li>
|
||||
<li><a href="https://letsencrypt.org/">Let's Encrypt</a> (for HTTPS)</li>
|
||||
</ol>
|
||||
<p>Let's get started!</p>
|
||||
<h2 id="1-setup-debian-gnu-linux">1. Setup Debian GNU/Linux<a class="zola-anchor" href="#1-setup-debian-gnu-linux" aria-label="Anchor link for: 1-setup-debian-gnu-linux"
|
||||
|
@ -53,25 +52,32 @@ from a lower-privileged account. Let's make our account sudo capable:<&#
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>Uncomplicated Firewall(<code>ufw</code>) is a popular firewall that is easy to
|
||||
set up and maintain. For most installations, this should be enough.
|
||||
System administrators use firewalls to open only the ports that they
|
||||
think should receive traffic from external networks. Without it, all
|
||||
ports will be open, causing a security nightmare.</p>
|
||||
<p><a href="https://wiki.ubuntu.com/UncomplicatedFirewall">Uncomplicated
|
||||
Firewall(<code>ufw</code>)</a> is a
|
||||
popular firewall that is easy to set up and maintain. For most
|
||||
installations, this should be enough. System administrators use
|
||||
firewalls to open only the ports that they think should receive traffic
|
||||
from external networks. Without it, all ports will be open, causing a
|
||||
security nightmare.</p>
|
||||
<p>We will require standard SSH (22), and the standard web ports (80 and
|
||||
443). A comprehensive list of services and the list of ports the listen
|
||||
on is available at `/etc/services.</p>
|
||||
<pre data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt "><code class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt" data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt"><span>install ufw # we are using `ufw` for the firewall
|
||||
</span><span>$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
|
||||
</span><span>$ sudo ufw enable # deploy firewall
|
||||
on is available at <code>/etc/services</code>.</p>
|
||||
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo apt update &amp;&amp; </span><span style="color:#bf616a;">apt</span><span> upgrade </span><span style="color:#65737e;"># update system
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo apt install ufw </span><span style="color:#65737e;"># we are using `ufw` for the firewall
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw allow ssh </span><span style="color:#65737e;"># allow SSH traffic on port 22, required to log into the server
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw enable </span><span style="color:#65737e;"># deploy firewall
|
||||
</span></code></pre>
|
||||
<h3 id="1-3-secure-ssh">1.3) Secure SSH<a class="zola-anchor" href="#1-3-secure-ssh" aria-label="Anchor link for: 1-3-secure-ssh"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted
|
||||
channels. By default, users can log in with their password
|
||||
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.</p>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted channels.
|
||||
By default, users can log in with their password using SSH. But password
|
||||
authentication <a href="https://wiki.archlinux.org/title/OpenSSH#Protecting_against_brute_force_attacks">is susceptible to brute force
|
||||
attacks</a>,
|
||||
so we should <a href="https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication">disable password logins on our server and only allow
|
||||
public-key authentication
|
||||
only</a>.</p>
|
||||
<h3 id="1-3-1-generate-key-pair">1.3.1) Generate key pair<a class="zola-anchor" href="#1-3-1-generate-key-pair" aria-label="Anchor link for: 1-3-1-generate-key-pair"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -139,7 +145,10 @@ the server, let's disable password authentication on the server:</p
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>We will be using <code>fail2ban</code> for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.</p>
|
||||
<p>We will be using
|
||||
<a href="https://www.fail2ban.org/wiki/index.php/Main_Page"><code>fail2ban</code></a> for
|
||||
intrusion prevention by blacklisting entities (users, bots, etc.) based
|
||||
on failed login attempts.</p>
|
||||
<h4 id="1-3-1-install-fail2ban">1.3.1) Install <code>fail2ban</code><a class="zola-anchor" href="#1-3-1-install-fail2ban" aria-label="Anchor link for: 1-3-1-install-fail2ban"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -323,7 +332,8 @@ authority to get our SSL certificates.</p>
|
|||
will have to log in every three months and renew the
|
||||
certificate. If you fail or forget it, your visitors will see security
|
||||
warnings on your website.</p>
|
||||
<p>Thankfully, Let's Encrypt provides automation through <code>certbot</code></p>
|
||||
<p>Thankfully, there is a way to automate this process through
|
||||
<a href="https://certbot.eff.org/"><code>certbot</code></a></p>
|
||||
<h4 id="2-3-1-install-certbot">2.3.1) Install <code>certbot</code>:<a class="zola-anchor" href="#2-3-1-install-certbot" aria-label="Anchor link for: 2-3-1-install-certbot"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
|
|
@ -259,7 +259,7 @@
|
|||
|
||||
<a class="blog__post-tag" href="/tags/JAMStack">#JAMStack</a>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/git">#git</a>
|
||||
<a class="blog__post-tag" href="/tags/lets-encrypt">#lets-encrypt</a>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/self-hosting">#self-hosting</a>
|
||||
|
||||
|
|
|
@ -252,26 +252,6 @@
|
|||
</li>
|
||||
</a>
|
||||
|
||||
<li class="tag__item">
|
||||
<a href="https://librepages.org/tags/git/" class="tag__item-link">
|
||||
<h2 class="tag__item-title">#git</h2>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<span class="tag__meta">1 entry</span>
|
||||
</a>
|
||||
<a class="tag__rss-link" href="https://librepages.org/tags/git/atom.xml" target="_blank" rel="noopener" title="RSS">
|
||||
<img
|
||||
src="https://librepages.org/icons/rss.svg?h=f6cd584bdbcd2eb4d1b8b84c9cf083ef45f772167c33fdcee754b35ae8ff4c7d"
|
||||
class="tag__rss-icon"
|
||||
alt="RSS icon"
|
||||
/>
|
||||
</a>
|
||||
</li>
|
||||
</a>
|
||||
|
||||
<li class="tag__item">
|
||||
<a href="https://librepages.org/tags/jamstack/" class="tag__item-link">
|
||||
<h2 class="tag__item-title">#JAMStack</h2>
|
||||
|
@ -292,6 +272,26 @@
|
|||
</li>
|
||||
</a>
|
||||
|
||||
<li class="tag__item">
|
||||
<a href="https://librepages.org/tags/lets-encrypt/" class="tag__item-link">
|
||||
<h2 class="tag__item-title">#lets-encrypt</h2>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<span class="tag__meta">1 entry</span>
|
||||
</a>
|
||||
<a class="tag__rss-link" href="https://librepages.org/tags/lets-encrypt/atom.xml" target="_blank" rel="noopener" title="RSS">
|
||||
<img
|
||||
src="https://librepages.org/icons/rss.svg?h=f6cd584bdbcd2eb4d1b8b84c9cf083ef45f772167c33fdcee754b35ae8ff4c7d"
|
||||
class="tag__rss-icon"
|
||||
alt="RSS icon"
|
||||
/>
|
||||
</a>
|
||||
</li>
|
||||
</a>
|
||||
|
||||
<li class="tag__item">
|
||||
<a href="https://librepages.org/tags/nginx/" class="tag__item-link">
|
||||
<h2 class="tag__item-title">#nginx</h2>
|
||||
|
|
|
@ -19,10 +19,9 @@ but knowing how to do it manually using industry standard
|
|||
technologies always helps!</p>
|
||||
<p>We will be using the following technologies to deploy our website:</p>
|
||||
<ol>
|
||||
<li>GNU/Linux server(Debian)</li>
|
||||
<li>Nginx (webs server)</li>
|
||||
<li>Let's Encrypt (for HTTPS)</li>
|
||||
<li>Gitea (but any Git hosting works)</li>
|
||||
<li><a href="https://debian.org">GNU/Linux server(Debian)</a></li>
|
||||
<li><a href="https://www.nginx.com/">Nginx</a> (webs server)</li>
|
||||
<li><a href="https://letsencrypt.org/">Let's Encrypt</a> (for HTTPS)</li>
|
||||
</ol>
|
||||
<p>Let's get started!</p>
|
||||
<h2 id="1-setup-debian-gnu-linux">1. Setup Debian GNU/Linux<a class="zola-anchor" href="#1-setup-debian-gnu-linux" aria-label="Anchor link for: 1-setup-debian-gnu-linux"
|
||||
|
@ -53,25 +52,32 @@ from a lower-privileged account. Let's make our account sudo capable:<&#
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>Uncomplicated Firewall(<code>ufw</code>) is a popular firewall that is easy to
|
||||
set up and maintain. For most installations, this should be enough.
|
||||
System administrators use firewalls to open only the ports that they
|
||||
think should receive traffic from external networks. Without it, all
|
||||
ports will be open, causing a security nightmare.</p>
|
||||
<p><a href="https://wiki.ubuntu.com/UncomplicatedFirewall">Uncomplicated
|
||||
Firewall(<code>ufw</code>)</a> is a
|
||||
popular firewall that is easy to set up and maintain. For most
|
||||
installations, this should be enough. System administrators use
|
||||
firewalls to open only the ports that they think should receive traffic
|
||||
from external networks. Without it, all ports will be open, causing a
|
||||
security nightmare.</p>
|
||||
<p>We will require standard SSH (22), and the standard web ports (80 and
|
||||
443). A comprehensive list of services and the list of ports the listen
|
||||
on is available at `/etc/services.</p>
|
||||
<pre data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt "><code class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt" data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt"><span>install ufw # we are using `ufw` for the firewall
|
||||
</span><span>$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
|
||||
</span><span>$ sudo ufw enable # deploy firewall
|
||||
on is available at <code>/etc/services</code>.</p>
|
||||
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo apt update &amp;&amp; </span><span style="color:#bf616a;">apt</span><span> upgrade </span><span style="color:#65737e;"># update system
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo apt install ufw </span><span style="color:#65737e;"># we are using `ufw` for the firewall
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw allow ssh </span><span style="color:#65737e;"># allow SSH traffic on port 22, required to log into the server
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw enable </span><span style="color:#65737e;"># deploy firewall
|
||||
</span></code></pre>
|
||||
<h3 id="1-3-secure-ssh">1.3) Secure SSH<a class="zola-anchor" href="#1-3-secure-ssh" aria-label="Anchor link for: 1-3-secure-ssh"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted
|
||||
channels. By default, users can log in with their password
|
||||
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.</p>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted channels.
|
||||
By default, users can log in with their password using SSH. But password
|
||||
authentication <a href="https://wiki.archlinux.org/title/OpenSSH#Protecting_against_brute_force_attacks">is susceptible to brute force
|
||||
attacks</a>,
|
||||
so we should <a href="https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication">disable password logins on our server and only allow
|
||||
public-key authentication
|
||||
only</a>.</p>
|
||||
<h3 id="1-3-1-generate-key-pair">1.3.1) Generate key pair<a class="zola-anchor" href="#1-3-1-generate-key-pair" aria-label="Anchor link for: 1-3-1-generate-key-pair"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -139,7 +145,10 @@ the server, let's disable password authentication on the server:</p
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>We will be using <code>fail2ban</code> for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.</p>
|
||||
<p>We will be using
|
||||
<a href="https://www.fail2ban.org/wiki/index.php/Main_Page"><code>fail2ban</code></a> for
|
||||
intrusion prevention by blacklisting entities (users, bots, etc.) based
|
||||
on failed login attempts.</p>
|
||||
<h4 id="1-3-1-install-fail2ban">1.3.1) Install <code>fail2ban</code><a class="zola-anchor" href="#1-3-1-install-fail2ban" aria-label="Anchor link for: 1-3-1-install-fail2ban"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -323,7 +332,8 @@ authority to get our SSL certificates.</p>
|
|||
will have to log in every three months and renew the
|
||||
certificate. If you fail or forget it, your visitors will see security
|
||||
warnings on your website.</p>
|
||||
<p>Thankfully, Let's Encrypt provides automation through <code>certbot</code></p>
|
||||
<p>Thankfully, there is a way to automate this process through
|
||||
<a href="https://certbot.eff.org/"><code>certbot</code></a></p>
|
||||
<h4 id="2-3-1-install-certbot">2.3.1) Install <code>certbot</code>:<a class="zola-anchor" href="#2-3-1-install-certbot" aria-label="Anchor link for: 2-3-1-install-certbot"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
|
|
@ -259,7 +259,7 @@
|
|||
|
||||
<a class="blog__post-tag" href="/tags/JAMStack">#JAMStack</a>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/git">#git</a>
|
||||
<a class="blog__post-tag" href="/tags/lets-encrypt">#lets-encrypt</a>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/self-hosting">#self-hosting</a>
|
||||
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
|
||||
<title> - git</title>
|
||||
<link href="https://librepages.org/tags/git/atom.xml" rel="self" type="application/atom+xml"/>
|
||||
<title> - lets-encrypt</title>
|
||||
<link href="https://librepages.org/tags/lets-encrypt/atom.xml" rel="self" type="application/atom+xml"/>
|
||||
<link href="https://librepages.org"/>
|
||||
<generator uri="https://www.getzola.org/">Zola</generator>
|
||||
<updated>2022-09-10T00:00:00+00:00</updated>
|
||||
<id>https://librepages.org/tags/git/atom.xml</id>
|
||||
<id>https://librepages.org/tags/lets-encrypt/atom.xml</id>
|
||||
<entry xml:lang="en">
|
||||
<title>How to deploy a website WITHOUT LibrePages</title>
|
||||
<published>2022-09-10T00:00:00+00:00</published>
|
||||
|
@ -19,10 +19,9 @@ but knowing how to do it manually using industry standard
|
|||
technologies always helps!</p>
|
||||
<p>We will be using the following technologies to deploy our website:</p>
|
||||
<ol>
|
||||
<li>GNU/Linux server(Debian)</li>
|
||||
<li>Nginx (webs server)</li>
|
||||
<li>Let's Encrypt (for HTTPS)</li>
|
||||
<li>Gitea (but any Git hosting works)</li>
|
||||
<li><a href="https://debian.org">GNU/Linux server(Debian)</a></li>
|
||||
<li><a href="https://www.nginx.com/">Nginx</a> (webs server)</li>
|
||||
<li><a href="https://letsencrypt.org/">Let's Encrypt</a> (for HTTPS)</li>
|
||||
</ol>
|
||||
<p>Let's get started!</p>
|
||||
<h2 id="1-setup-debian-gnu-linux">1. Setup Debian GNU/Linux<a class="zola-anchor" href="#1-setup-debian-gnu-linux" aria-label="Anchor link for: 1-setup-debian-gnu-linux"
|
||||
|
@ -53,25 +52,32 @@ from a lower-privileged account. Let's make our account sudo capable:<&#
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>Uncomplicated Firewall(<code>ufw</code>) is a popular firewall that is easy to
|
||||
set up and maintain. For most installations, this should be enough.
|
||||
System administrators use firewalls to open only the ports that they
|
||||
think should receive traffic from external networks. Without it, all
|
||||
ports will be open, causing a security nightmare.</p>
|
||||
<p><a href="https://wiki.ubuntu.com/UncomplicatedFirewall">Uncomplicated
|
||||
Firewall(<code>ufw</code>)</a> is a
|
||||
popular firewall that is easy to set up and maintain. For most
|
||||
installations, this should be enough. System administrators use
|
||||
firewalls to open only the ports that they think should receive traffic
|
||||
from external networks. Without it, all ports will be open, causing a
|
||||
security nightmare.</p>
|
||||
<p>We will require standard SSH (22), and the standard web ports (80 and
|
||||
443). A comprehensive list of services and the list of ports the listen
|
||||
on is available at `/etc/services.</p>
|
||||
<pre data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt "><code class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt" data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt"><span>install ufw # we are using `ufw` for the firewall
|
||||
</span><span>$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
|
||||
</span><span>$ sudo ufw enable # deploy firewall
|
||||
on is available at <code>/etc/services</code>.</p>
|
||||
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo apt update &amp;&amp; </span><span style="color:#bf616a;">apt</span><span> upgrade </span><span style="color:#65737e;"># update system
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo apt install ufw </span><span style="color:#65737e;"># we are using `ufw` for the firewall
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw allow ssh </span><span style="color:#65737e;"># allow SSH traffic on port 22, required to log into the server
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw enable </span><span style="color:#65737e;"># deploy firewall
|
||||
</span></code></pre>
|
||||
<h3 id="1-3-secure-ssh">1.3) Secure SSH<a class="zola-anchor" href="#1-3-secure-ssh" aria-label="Anchor link for: 1-3-secure-ssh"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted
|
||||
channels. By default, users can log in with their password
|
||||
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.</p>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted channels.
|
||||
By default, users can log in with their password using SSH. But password
|
||||
authentication <a href="https://wiki.archlinux.org/title/OpenSSH#Protecting_against_brute_force_attacks">is susceptible to brute force
|
||||
attacks</a>,
|
||||
so we should <a href="https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication">disable password logins on our server and only allow
|
||||
public-key authentication
|
||||
only</a>.</p>
|
||||
<h3 id="1-3-1-generate-key-pair">1.3.1) Generate key pair<a class="zola-anchor" href="#1-3-1-generate-key-pair" aria-label="Anchor link for: 1-3-1-generate-key-pair"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -139,7 +145,10 @@ the server, let's disable password authentication on the server:</p
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>We will be using <code>fail2ban</code> for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.</p>
|
||||
<p>We will be using
|
||||
<a href="https://www.fail2ban.org/wiki/index.php/Main_Page"><code>fail2ban</code></a> for
|
||||
intrusion prevention by blacklisting entities (users, bots, etc.) based
|
||||
on failed login attempts.</p>
|
||||
<h4 id="1-3-1-install-fail2ban">1.3.1) Install <code>fail2ban</code><a class="zola-anchor" href="#1-3-1-install-fail2ban" aria-label="Anchor link for: 1-3-1-install-fail2ban"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -323,7 +332,8 @@ authority to get our SSL certificates.</p>
|
|||
will have to log in every three months and renew the
|
||||
certificate. If you fail or forget it, your visitors will see security
|
||||
warnings on your website.</p>
|
||||
<p>Thankfully, Let's Encrypt provides automation through <code>certbot</code></p>
|
||||
<p>Thankfully, there is a way to automate this process through
|
||||
<a href="https://certbot.eff.org/"><code>certbot</code></a></p>
|
||||
<h4 id="2-3-1-install-certbot">2.3.1) Install <code>certbot</code>:<a class="zola-anchor" href="#2-3-1-install-certbot" aria-label="Anchor link for: 2-3-1-install-certbot"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
|
@ -34,21 +34,21 @@
|
|||
<meta name="referrer" content="no-referrer-when-downgrade" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||
|
||||
<title>git | LibrePages: JAMstack platform with focus on privacy and speed</title>
|
||||
<title>lets-encrypt | LibrePages: JAMstack platform with focus on privacy and speed</title>
|
||||
<meta name="referrer" content="no-referrer-when-downgrade" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||
|
||||
<meta name="description" content="git" />
|
||||
<meta name="description" content="lets-encrypt" />
|
||||
|
||||
|
||||
<meta property="og:title" content="git | LibrePages: JAMstack platform with focus on privacy and speed" />
|
||||
<meta property="og:title" content="lets-encrypt | LibrePages: JAMstack platform with focus on privacy and speed" />
|
||||
<meta property="og:type" content="article" />
|
||||
<meta property="og:url" content="https://librepages.org" />
|
||||
|
||||
<meta property="og:description" content="git" />
|
||||
<meta property="og:description" content="lets-encrypt" />
|
||||
<meta
|
||||
property="og:site_name"
|
||||
content="git | LibrePages: JAMstack platform with focus on privacy and speed"
|
||||
content="lets-encrypt | LibrePages: JAMstack platform with focus on privacy and speed"
|
||||
/>
|
||||
<link
|
||||
rel="apple-touch-icon"
|
||||
|
@ -228,8 +228,8 @@
|
|||
<div class="blog__container">
|
||||
|
||||
<div class="tag__title-container">
|
||||
<h1 class="tag__title">#git</h1>
|
||||
<a class="tag__rss-link--single" href="https://librepages.org/tags/git/atom.xml" target="_blank" rel="noopener" title="RSS">
|
||||
<h1 class="tag__title">#lets-encrypt</h1>
|
||||
<a class="tag__rss-link--single" href="https://librepages.org/tags/lets-encrypt/atom.xml" target="_blank" rel="noopener" title="RSS">
|
||||
<img
|
||||
src="https://librepages.org/icons/rss.svg?h=f6cd584bdbcd2eb4d1b8b84c9cf083ef45f772167c33fdcee754b35ae8ff4c7d"
|
||||
class="tag__rss-icon--single"
|
||||
|
@ -259,7 +259,7 @@
|
|||
|
||||
<a class="blog__post-tag" href="/tags/JAMStack">#JAMStack</a>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/git">#git</a>
|
||||
<a class="blog__post-tag" href="/tags/lets-encrypt">#lets-encrypt</a>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/self-hosting">#self-hosting</a>
|
||||
|
|
@ -19,10 +19,9 @@ but knowing how to do it manually using industry standard
|
|||
technologies always helps!</p>
|
||||
<p>We will be using the following technologies to deploy our website:</p>
|
||||
<ol>
|
||||
<li>GNU/Linux server(Debian)</li>
|
||||
<li>Nginx (webs server)</li>
|
||||
<li>Let's Encrypt (for HTTPS)</li>
|
||||
<li>Gitea (but any Git hosting works)</li>
|
||||
<li><a href="https://debian.org">GNU/Linux server(Debian)</a></li>
|
||||
<li><a href="https://www.nginx.com/">Nginx</a> (webs server)</li>
|
||||
<li><a href="https://letsencrypt.org/">Let's Encrypt</a> (for HTTPS)</li>
|
||||
</ol>
|
||||
<p>Let's get started!</p>
|
||||
<h2 id="1-setup-debian-gnu-linux">1. Setup Debian GNU/Linux<a class="zola-anchor" href="#1-setup-debian-gnu-linux" aria-label="Anchor link for: 1-setup-debian-gnu-linux"
|
||||
|
@ -53,25 +52,32 @@ from a lower-privileged account. Let's make our account sudo capable:<&#
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>Uncomplicated Firewall(<code>ufw</code>) is a popular firewall that is easy to
|
||||
set up and maintain. For most installations, this should be enough.
|
||||
System administrators use firewalls to open only the ports that they
|
||||
think should receive traffic from external networks. Without it, all
|
||||
ports will be open, causing a security nightmare.</p>
|
||||
<p><a href="https://wiki.ubuntu.com/UncomplicatedFirewall">Uncomplicated
|
||||
Firewall(<code>ufw</code>)</a> is a
|
||||
popular firewall that is easy to set up and maintain. For most
|
||||
installations, this should be enough. System administrators use
|
||||
firewalls to open only the ports that they think should receive traffic
|
||||
from external networks. Without it, all ports will be open, causing a
|
||||
security nightmare.</p>
|
||||
<p>We will require standard SSH (22), and the standard web ports (80 and
|
||||
443). A comprehensive list of services and the list of ports the listen
|
||||
on is available at `/etc/services.</p>
|
||||
<pre data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt "><code class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt" data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt"><span>install ufw # we are using `ufw` for the firewall
|
||||
</span><span>$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
|
||||
</span><span>$ sudo ufw enable # deploy firewall
|
||||
on is available at <code>/etc/services</code>.</p>
|
||||
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo apt update &amp;&amp; </span><span style="color:#bf616a;">apt</span><span> upgrade </span><span style="color:#65737e;"># update system
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo apt install ufw </span><span style="color:#65737e;"># we are using `ufw` for the firewall
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw allow ssh </span><span style="color:#65737e;"># allow SSH traffic on port 22, required to log into the server
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw enable </span><span style="color:#65737e;"># deploy firewall
|
||||
</span></code></pre>
|
||||
<h3 id="1-3-secure-ssh">1.3) Secure SSH<a class="zola-anchor" href="#1-3-secure-ssh" aria-label="Anchor link for: 1-3-secure-ssh"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted
|
||||
channels. By default, users can log in with their password
|
||||
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.</p>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted channels.
|
||||
By default, users can log in with their password using SSH. But password
|
||||
authentication <a href="https://wiki.archlinux.org/title/OpenSSH#Protecting_against_brute_force_attacks">is susceptible to brute force
|
||||
attacks</a>,
|
||||
so we should <a href="https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication">disable password logins on our server and only allow
|
||||
public-key authentication
|
||||
only</a>.</p>
|
||||
<h3 id="1-3-1-generate-key-pair">1.3.1) Generate key pair<a class="zola-anchor" href="#1-3-1-generate-key-pair" aria-label="Anchor link for: 1-3-1-generate-key-pair"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -139,7 +145,10 @@ the server, let's disable password authentication on the server:</p
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>We will be using <code>fail2ban</code> for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.</p>
|
||||
<p>We will be using
|
||||
<a href="https://www.fail2ban.org/wiki/index.php/Main_Page"><code>fail2ban</code></a> for
|
||||
intrusion prevention by blacklisting entities (users, bots, etc.) based
|
||||
on failed login attempts.</p>
|
||||
<h4 id="1-3-1-install-fail2ban">1.3.1) Install <code>fail2ban</code><a class="zola-anchor" href="#1-3-1-install-fail2ban" aria-label="Anchor link for: 1-3-1-install-fail2ban"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -323,7 +332,8 @@ authority to get our SSL certificates.</p>
|
|||
will have to log in every three months and renew the
|
||||
certificate. If you fail or forget it, your visitors will see security
|
||||
warnings on your website.</p>
|
||||
<p>Thankfully, Let's Encrypt provides automation through <code>certbot</code></p>
|
||||
<p>Thankfully, there is a way to automate this process through
|
||||
<a href="https://certbot.eff.org/"><code>certbot</code></a></p>
|
||||
<h4 id="2-3-1-install-certbot">2.3.1) Install <code>certbot</code>:<a class="zola-anchor" href="#2-3-1-install-certbot" aria-label="Anchor link for: 2-3-1-install-certbot"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
|
|
@ -259,7 +259,7 @@
|
|||
|
||||
<a class="blog__post-tag" href="/tags/JAMStack">#JAMStack</a>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/git">#git</a>
|
||||
<a class="blog__post-tag" href="/tags/lets-encrypt">#lets-encrypt</a>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/self-hosting">#self-hosting</a>
|
||||
|
||||
|
|
|
@ -19,10 +19,9 @@ but knowing how to do it manually using industry standard
|
|||
technologies always helps!</p>
|
||||
<p>We will be using the following technologies to deploy our website:</p>
|
||||
<ol>
|
||||
<li>GNU/Linux server(Debian)</li>
|
||||
<li>Nginx (webs server)</li>
|
||||
<li>Let's Encrypt (for HTTPS)</li>
|
||||
<li>Gitea (but any Git hosting works)</li>
|
||||
<li><a href="https://debian.org">GNU/Linux server(Debian)</a></li>
|
||||
<li><a href="https://www.nginx.com/">Nginx</a> (webs server)</li>
|
||||
<li><a href="https://letsencrypt.org/">Let's Encrypt</a> (for HTTPS)</li>
|
||||
</ol>
|
||||
<p>Let's get started!</p>
|
||||
<h2 id="1-setup-debian-gnu-linux">1. Setup Debian GNU/Linux<a class="zola-anchor" href="#1-setup-debian-gnu-linux" aria-label="Anchor link for: 1-setup-debian-gnu-linux"
|
||||
|
@ -53,25 +52,32 @@ from a lower-privileged account. Let's make our account sudo capable:<&#
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>Uncomplicated Firewall(<code>ufw</code>) is a popular firewall that is easy to
|
||||
set up and maintain. For most installations, this should be enough.
|
||||
System administrators use firewalls to open only the ports that they
|
||||
think should receive traffic from external networks. Without it, all
|
||||
ports will be open, causing a security nightmare.</p>
|
||||
<p><a href="https://wiki.ubuntu.com/UncomplicatedFirewall">Uncomplicated
|
||||
Firewall(<code>ufw</code>)</a> is a
|
||||
popular firewall that is easy to set up and maintain. For most
|
||||
installations, this should be enough. System administrators use
|
||||
firewalls to open only the ports that they think should receive traffic
|
||||
from external networks. Without it, all ports will be open, causing a
|
||||
security nightmare.</p>
|
||||
<p>We will require standard SSH (22), and the standard web ports (80 and
|
||||
443). A comprehensive list of services and the list of ports the listen
|
||||
on is available at `/etc/services.</p>
|
||||
<pre data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt "><code class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt" data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt"><span>install ufw # we are using `ufw` for the firewall
|
||||
</span><span>$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
|
||||
</span><span>$ sudo ufw enable # deploy firewall
|
||||
on is available at <code>/etc/services</code>.</p>
|
||||
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo apt update &amp;&amp; </span><span style="color:#bf616a;">apt</span><span> upgrade </span><span style="color:#65737e;"># update system
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo apt install ufw </span><span style="color:#65737e;"># we are using `ufw` for the firewall
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw allow ssh </span><span style="color:#65737e;"># allow SSH traffic on port 22, required to log into the server
|
||||
</span><span style="color:#bf616a;">$</span><span> sudo ufw enable </span><span style="color:#65737e;"># deploy firewall
|
||||
</span></code></pre>
|
||||
<h3 id="1-3-secure-ssh">1.3) Secure SSH<a class="zola-anchor" href="#1-3-secure-ssh" aria-label="Anchor link for: 1-3-secure-ssh"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted
|
||||
channels. By default, users can log in with their password
|
||||
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.</p>
|
||||
<p>SSH allows remote access to our servers over secure, encrypted channels.
|
||||
By default, users can log in with their password using SSH. But password
|
||||
authentication <a href="https://wiki.archlinux.org/title/OpenSSH#Protecting_against_brute_force_attacks">is susceptible to brute force
|
||||
attacks</a>,
|
||||
so we should <a href="https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication">disable password logins on our server and only allow
|
||||
public-key authentication
|
||||
only</a>.</p>
|
||||
<h3 id="1-3-1-generate-key-pair">1.3.1) Generate key pair<a class="zola-anchor" href="#1-3-1-generate-key-pair" aria-label="Anchor link for: 1-3-1-generate-key-pair"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -139,7 +145,10 @@ the server, let's disable password authentication on the server:</p
|
|||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
</h3>
|
||||
<p>We will be using <code>fail2ban</code> for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.</p>
|
||||
<p>We will be using
|
||||
<a href="https://www.fail2ban.org/wiki/index.php/Main_Page"><code>fail2ban</code></a> for
|
||||
intrusion prevention by blacklisting entities (users, bots, etc.) based
|
||||
on failed login attempts.</p>
|
||||
<h4 id="1-3-1-install-fail2ban">1.3.1) Install <code>fail2ban</code><a class="zola-anchor" href="#1-3-1-install-fail2ban" aria-label="Anchor link for: 1-3-1-install-fail2ban"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
@ -323,7 +332,8 @@ authority to get our SSL certificates.</p>
|
|||
will have to log in every three months and renew the
|
||||
certificate. If you fail or forget it, your visitors will see security
|
||||
warnings on your website.</p>
|
||||
<p>Thankfully, Let's Encrypt provides automation through <code>certbot</code></p>
|
||||
<p>Thankfully, there is a way to automate this process through
|
||||
<a href="https://certbot.eff.org/"><code>certbot</code></a></p>
|
||||
<h4 id="2-3-1-install-certbot">2.3.1) Install <code>certbot</code>:<a class="zola-anchor" href="#2-3-1-install-certbot" aria-label="Anchor link for: 2-3-1-install-certbot"
|
||||
><span class="anchor-icon">#</span></a
|
||||
>
|
||||
|
|
|
@ -259,7 +259,7 @@
|
|||
|
||||
<a class="blog__post-tag" href="/tags/JAMStack">#JAMStack</a>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/git">#git</a>
|
||||
<a class="blog__post-tag" href="/tags/lets-encrypt">#lets-encrypt</a>
|
||||
|
||||
<a class="blog__post-tag" href="/tags/self-hosting">#self-hosting</a>
|
||||
|
||||
|
|
Loading…
Reference in a new issue