Customizing my Webserver, and Internet Connections

I have gone into detail regarding configuring my server already. I have written my SSL with Let’s Encrypt guide. I also wrote my Rsync with SSH guide. This article is about how I finished the steps of securing and customizing my server This article is about how I finished the steps of securing and customizing my server.

This article goes over the following: - Opening up a SSH Connection for a remote computer - Changing pre and post SSH login messages - Setting up backups - Copying backups from the server to a remote computer - Setting up DKIM - Setting up SPF and DMARC records - Getting VIM to do Markdown formatting on .md files

##Opening Remote Port To facilitate writing for my sites I opened a port for SSH on my computer at home on my router, then I created a DNS A record with my DNS provider pointing to my IP Address. After the DNS propagated I have access over SSH to my computer. I edited my ssh_config file to disallow password authentication. I also do not allow root logins. These can both be set in /etc/ssh/ssh_config. The way I add new keys is to log into the computer and enable password logins, thn install the new key. After the key is installed I disable passwords again.

##SSH Warnings and Message of the Day There are two messages which can be displayed for SSH logins. The pre-authentication message, and the Message of the Day. The file with the text for the pre-uthenication message on Debian is /etc/issue.net.

The first message, which can be displayed is the message which appears before login is complete. The message is stored in /etc/issue.net on Debian (and possibly derivitate) systems.

This is the text I put in my issue.net:

Welcome to Excalibursheath.com

This system is for the use of authorized users only. Usage of this system may be monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring. If monitoring reveals possible evidence of criminal activity,
system personnel will provide the evidence from such monitoring to law enforcement officials.

Disconnect IMMEDIDIATELY if you are not an authorized user!

The reason for this message, is because The U.K.s Computer Misuse Act of 1990 says that an offense of unathorized access can only be committed if the offender knew at the time that the access they intended to gain was unauthorized. I found this information as I searched for examples of messages. This information came from the CentOS Wiki. I kept the width to 80 characters, as that is the standard terminal width.

The second message is called the Message of the day. On Debian systems it is in /etc/motd. There are options to generate dynamic motds, but I found that on Debian these are complicated, and do not always work. As my needs are fairly simple, I decided to craft a static Message page. The first part of the message is the name of the system.

Here is the command I used to create my Excalibursheath text for my motd file. In the example motd file below I removed the coloring, as that proved to be difficult to translate for the web.

1
toilet -f future --metal Excalibursheath.com |sudo tee /etc/motd 

Then I added my message, just a few paragraphs of text similar to my other message.

Here is my example message.

Excalibursheath.com

:::::::::::::::::::::::::-RULES-:::::::::::::::::::::::::::

This computer system is the private property of its owner, for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.

Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign.

By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use.

LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.

~== DISABLE YOUR PROGRAMS FROM KEEPING SENSITIVE LOGS OR HISTORY ==~

##Backups I now have Webmin making 3 backups. I simply used the Webmin Filesystem Backup module.

The Steps to define a back up are:

  1. Define a directory to backup
  2. Check the Tar Format box
  3. Click Add a New Backup of Directory
  4. Add any other directories you need to your backup.
  5. Select Backup to File or Tape Device and Enter the full path and filename of the backup into the box.
  6. Under Backup Options change Compress Archive to Yes
  7. Under Backup Schedule select your backup schedule

I found these steps make great local backups. Unfortunately, every so often I want a remote backup maded too.

So I wrote the following little script, and run it as a cron job.

1
2
#! /bin/bash
scp /backup/backup-daily.tar.gz <USERNAME>.<REMOTE-LOCATION>:remote-backups/backup-remote.tar.gz

The result is that I have a daily, weekly, and monthly local backup, and a monthly remote backup being made.

##Email DNS TXT record Creation I know that some Email services will mark your emails as spam if the DNS Record they like (SPF, DMARC, DKIM) are not setup.

###SPF Records SPF Records are the easiest in my opinion to setup. There are tools, like SPF Wizard, which can help automate the process of creating the record. Using the wizard, the exact text to put in the record can be created. SPF records break down like this:

v=spf1 (Define that the TXT record is a SPF record).

mx a (Define all of the DNS records which are permitted to send email, use a:Domain-Name to add domains which send email for you, like MailChimp, Constant Contact, etc.).

ipv4:IP-ADDRESS (You may have this. You can define specific IP Addresses which are allowed to send email. Utilizing the mx a above puts your server’s IP Addresses in place, so unless you have specific IP Addresses which deliver or relay mail for you, then you don’t need this).

a:DOMAIN-NAME (Use this to declare server hostnames which can relay mail for your domain).

include:DOMAIN-NAME (Here is where you can define any other Domains which can deliver or relay mail for your domain).

~/-/?all (The last part of a SPF Record is telling other email servers how strict to be in following these rules. If you put -all any emails which are sent from a server which does not match will be rejected. ~all will cause a soft-fail, the server will mark that it failed, but still allow delivery. ?all sets it to neutral, which means emails will probably be delivered without being marked as spam.)

###DKIM DKIM can be one of the more complicated tools to setup. This is because DKIM is not just a DNS record, but a software stack on the server. I followed this guide. One difference, is that I do not use my server for my DNS, so I took the DKIM record, and removed all of the “ “ in it and put that in place at my DNS Host. I had a valid DKIM record.

###DMARC I recommed that DMARC records be created last. This is because the idea of the DMARC record is to make better use of the SPF and DKIM records, but allow more reporting to occur. I used this DMARC Wizard to create my DMARC records, and put them in place in my DNS host.

##Getting Vim to properly highlight .md files as Markdown I found that VIm does not recognise .md files as Markdown. To correct this, I created a .vimrc file, and placed the following into it:

1
au BufNewFile,BufFilePre,BufRead *.md set filetype=markdown

Now when I’m editing my Jekyll content, written in Markdown, I have correct formatting.

##Conclusion I have listed out the steps I took for a lot of unrelated steps. This article was made up of a lot of little things, which I did, which did not seem to need their own writeups, but I wanted to document.

Written on April 25, 2016