John Carver's picture

Suggestions and feedback for Drupal 11RC

John Carver - Wed, 2010/12/08 - 21:38

I have been planning to move my home website to a TKL Drupal Appliance since the beginning of the year, but had to put the project aside while I planned and executed a six week trip to Europe.  Upon my return, I was pleased to find that a new TurnKey appliance based on Ubuntu 10.04 LTS was now available.  I was even more pleased to find it included the latest stable release of Drush, my favorite admin tool.  As I installed and setup the new server, I thought it might be helpful to document my experience.  Some thoughts from my notes follow.

1. Change the hostname

/etc/hostname
	myserver

/etc/hosts

	127.0.1.1 myserver.mydomain    myserver
Use the FQDN in /etc/hosts, otherwise apache complains about not finding FQDN.
It would be very helpful if TKL allowed setting the host and domain names during installation and also ability to change them in confconsole.
 
2. Add alias for root
/etc/aliases 
	root: admin_email_name@email_host

and then run newaliases
# newaliases
As administrator, I want to receive all messages sent to root@localhost.  In the current 11.0 RC, they are rejected as undeliverable (see below).
 
3. Change Postfix 'myhostname'
/etc/postfix/main.cf 
	myhostname = localhost
Change 'myhostname' from UNKNOWN to 'localhost'.
This allows Postfix to deliver mail addressed to root@localhost.
 
4. Set the default locale
/etc/default/locale 
	LANG="en_US.UTF-8"
   or
# echo "LANG=\"en_US.UTF-8\"" > /etc/default/locale
This eliminates complaints in the logs about /etc/default/locale missing.  I wonder if this could be set during installation based on the keyboard selection.
 
5. Install logrotate, logwatch, fail2ban, and bsd-mailx
   logwatch monitors daily operations and mails a report to root.
   logrotate manages log files and deletes old logs.
   fail2ban monitors system logs and bans hackers using iptables.
   bsd-mailx allows reading local mail for root and sending test messages.
	# apt-get install logrotate logwatch fail2ban bsd-mailx
I recommend that logwatch, logrotate, and fail2ban be considered for inclusion in all TKL appliances.
 
6. Create fail2ban jail 'apache-access' 
 
   /etc/fail2ban/filter.d/apache-access.conf
	# Fail2Ban configuration file for Apache access logs
#
# Author: John Carver
#
# $Revision: 102 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match botnets scanning for .php files in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = ^<HOST> -.*GET .*\.php.* 40[34] .*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
Warning:  This is severe punishment for anyone scanning your website looking for unprotected .php files.  It works okay for me, but use with caution. 
 
7. Enable fail2ban jails
 
   /etc/fail2ban/jails.local
	# Fail2Ban configuration file.

#
# JAILS
#

[ssh]

enabled = true
port = ssh
filter = sshd
logpath  = /var/log/auth.log
maxretry = 6

[ssh-ddos]

enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 6

[apache-noscript]

enabled = true
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache2/error.log
maxretry = 6

[apache-overflows]

enabled = true
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache2/error.log
maxretry = 2

[apache-access]

enabled = true
port    = http,https
filter  = apache-access
logpath = /var/log/apache2/access.log
maxretry = 1
bantime = -1

#
# Mail servers
#

[postfix]

enabled  = true
port  = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log

#
# Additional Services
#

[webmin-iptables]

enabled = true
filter = webmin-auth
action = iptables[name=webmin, port=12321, protocol=tcp]
logpath  = /var/log/auth.log
8. Configure NTP per VMware recommendations for virtual hosts.
 
   /etc/ntp.conf
	tinker panic 0

   Change servers to:
server 0.pool.ntp.org 
server 1.pool.ntp.org
server 2.pool.ntp.org
   or use a regional pool, e.g.
server 0.us.pool.ntp.org 
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
"The configuration directive tinker panic 0 instructs NTP not to give up if it sees a large jump in time. This is important for coping with large time drifts and also resuming virtual machines from their suspended state.
 
Note: The directive tinker panic 0 must be at the top of the ntp.conf file.
 
It is also important not to use the local clock as a time source, often referred to as the Undisciplined Local Clock. NTP has a tendency to fall back to this in preference to the remote servers when there is a large amount of time drift."
 
 
Note: 
I had problems formatting the items above because <code>,</code> no longer works and CKEditor seems to indent the first line of each <pre> formatted paragraph.
Forum: 
General
Tags: 
drupal