vps

“fast” JIRA and Confluence setup on a small VPS

Sunday, January 6th, 2013 | Linux, Tech-savvy | No Comments

I recently stumbled upon my old “fast firewalling for developers with iptables” blog and also read the comment (yeah, one!) asking how to go on from here, maybe set up JIRA and Confluence from Atlassian really fast. So here we go. We will install JIRA and Confluence using MySQL as the database, allowing only HTTPS connections. Bear in mind that this is not an enterprise setup, it’s again targeted at individuals who want to run these tools in a non-critical private small VPS environment maybe to evaluate the tools or collaborate with a friend. This is going to be easy and straightforward, no fancy admin stuff, no over the top security, simply getting the stuff up and running.
› Continue reading

Tags: , , , , , , , , ,

fast firewalling for developers with iptables

Saturday, November 8th, 2008 | Misc, Tech-savvy | 3 Comments

Oh no, not another iptables tutorial! Skip this if you are an experienced linux bofh, read this if you don’t want to bother too much with configuring your system but still keeping doors shut and playing around with it. In my case I am using a VPS Linux box for Subversion, Apache, Tomcat and Confluence access. A developer’s machine, as you can tell :)

I think it’s irresponsible to have a system online and not shutting all possible vulnerabilities down. As long as I am playing with the machine (and don’t have the expertise of a top notch sysadmin) I want it inaccessible almost completely. It’s not that I am paranoid about somebody accessing my stuff, I don’t like the thought of somebody hijacking *my* system doing *their* stuff :evil: ! So what I wanted to do was to shut everything down except Secure Shell – that’s the only service I trust (using key only authentication), everything else is tunneled.

Okay, enough talking, this is how you get your machine inaccessible except for ssh:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -m limit --limit 100/second -j LOG --log-prefix "iptables:"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

You won’t kick yourself from your server entering these commands! ;) These commands should be quite self-explanatory, for a detailed explanation please refer to the iptables man pages.

Next thing is to make sure that a reboot won’t make your system vulnerable once again. The firewall rules are kept in memory only. I didn’t bother the first time I configured my system, now that my provider had to reboot their VPS’ I had to reconfigured it and wanted it to be the last time!

There are two iptable commands that will save and load firewall rules. Dump you current rules with

sudo iptables-save

Save this output in a file:

sudo iptables-save > /etc/iptables-save

Next tell your rc scripts (like /etc/rc.local for each multiuser runlevel) to execute the following line, using iptables-restore to restore your previously saves configuration:

cat /etc/iptables-save | iptables-restore -c

That’s it, you’re all set up with a machine that is inaccessible except for Secure Shell. Happy bashing!

Tags: , , , ,

Search

Categories