colkito · November 25, 2016 14:19 · Sep 15, 2016 · Sep 2, 2016 · Aug 28, 2016 · Aug 22, 2016
diff --git a/README.md b/README.md
@@ -448,6 +448,6 @@ This will try to renew your certs every Monday night and reload NGINX while savi
 Now test your SSL certs via:
 * [SSLLabs](https://www.ssllabs.com/ssltest/analyze.html)
 * [ALPN support](https://tools.keycdn.com/http2-test)
-* [http observatory](https://mozilla.github.io/http-observatory-website/analyze.html)
+* [http observatory](https://mozilla.github.io/http-observatory-website/)
 * [security headers](https://securityheaders.io)
 * [encryption strength](https://tls.imirhil.fr/)
diff --git a/README.md b/README.md
@@ -445,4 +445,9 @@ SHELL=/bin/bash # I like bash
 
 This will try to renew your certs every Monday night and reload NGINX while saving the log into `/var/log/letsencrypt-renewal.log`. _(Check your log if you have issues with `vim /var/log/letsencrypt-renewal.log`)_
 
-Now test your SSL certs via [SSLLabs](https://www.ssllabs.com/ssltest/analyze.html) and your [ALPN support](https://tools.keycdn.com/http2-test).
+Now test your SSL certs via:
+* [SSLLabs](https://www.ssllabs.com/ssltest/analyze.html)
+* [ALPN support](https://tools.keycdn.com/http2-test)
+* [http observatory](https://mozilla.github.io/http-observatory-website/analyze.html)
+* [security headers](https://securityheaders.io)
+* [encryption strength](https://tls.imirhil.fr/)
diff --git a/default b/default
@@ -16,6 +16,9 @@ add_header  X-XSS-Protection '1; mode=block';
 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
 add_header  Strict-Transport-Security 'max-age=31536000; includeSubDomains;' always;
 
+# Content Security Policy
+add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://ssl.google-analytics.com https://cdn.polyfill.io; img-src 'self' https://ssl.google-analytics.com; style-src 'self'; font-src 'self'; frame-src 'self'; object-src 'none'";
+
 # CORS
 add_header  'Access-Control-Allow-Origin' '*';
 add_header  'Access-Control-Allow-Credentials' 'true';

diff --git a/README.md b/README.md
@@ -22,6 +22,7 @@ Update your package manager:
 ```shell
 apt-get update
 apt-get upgrade
+apt-get dist-upgrade
 ```
 
 Install [fail2ban](http://www.fail2ban.org/):

diff --git a/README.md b/README.md
@@ -438,7 +438,7 @@ SHELL=/bin/bash # I like bash
 30 2 * * 1 /home/deploy/letsencrypt/letsencrypt-auto renew --webroot-path /www/ >> /var/log/letsencrypt-renewal.log 2>&1
 
 # restart the server 2:35AM
-35 2 * * 1 /etc/init.d/nginx restart 2>&1
+35 2 * * 1 /etc/init.d/nginx restart >> /var/log/letsencrypt-renewal.log 2>&1
 # empty line at the end so cron doesn’t ignore the last command
 ```
 

diff --git a/README.md b/README.md
@@ -194,12 +194,12 @@ To run RKHunter execute the following command as often as you update `apt-get`:
 sudo rkhunter --update
 ```
 
-_(This will update it's database and performe a check)_
+_(This will update it’s database and performe a check)_
 
 
 # bash
 
-I like to change the shell to bash as that's what I like.
+I like to change the shell to bash as that’s what I like.
 
 ```shell
 sudo apt-get install csh
@@ -279,7 +279,7 @@ sudo apt-get install ntp
 
 # swapfile
 
-*Now as we all have moved to SSD servers we don't need this anymore. :)*  
+*Now as we all have moved to SSD servers we don’t need this anymore. :)*  
 For legacy reasons:
 
 ```shell
@@ -322,7 +322,7 @@ _(connection via SFTP)_
 
 # git
 
-Install git if it isn't already:
+Install git if it isn’t already:
 
 ```shell
 sudo apt-get install git
@@ -384,7 +384,7 @@ sudo vim /etc/nginx/sites-available/default
 
 To delete a page in `vim` just type `:1,$d` in the command prompt. I usually write the config locally and then just past it into vim. So: copy content, open file in vim, do `:1,$d` to delete contents, type `i` to set vim into insert mode, paste.
 
-_(I've attached my [basic config](https://gist.github.com/dominikwilkowski/435054905c3c7abc2badc92a0acff4ba#file-default) that works for me below, note that this config assumes SSL and the cypher below)_
+_(I’ve attached my [basic config](https://gist.github.com/dominikwilkowski/435054905c3c7abc2badc92a0acff4ba#file-default) that works for me below, note that this config assumes SSL and the cypher below)_
 
 To create a strong cypher:
 
@@ -429,11 +429,19 @@ sudo crontab -e
 And add the two following lines:
 
 ```shell
-30 2 * * 1 root /home/deploy/letsencrypt/letsencrypt-auto renew --webroot-path /www/ >> /var/log/letsencrypt-renewal.log #runs every Monday at 2:30AM, output is saved to /var/log/letsencrypt-renewal.log
-35 2 * * 1 root /etc/init.d/nginx restart #runs every Monday at 2:35AM
-# empty line at the end
+SHELL=/bin/bash # I like bash
+
+# add timestamp to your log file for easier parsing
+29 2 * * 1 date >> /var/log/letsencrypt-renewal.log 2>&1
+
+# runs every Monday at 2:30AM, output is saved to /var/log/letsencrypt-renewal.log
+30 2 * * 1 /home/deploy/letsencrypt/letsencrypt-auto renew --webroot-path /www/ >> /var/log/letsencrypt-renewal.log 2>&1
+
+# restart the server 2:35AM
+35 2 * * 1 /etc/init.d/nginx restart 2>&1
+# empty line at the end so cron doesn’t ignore the last command
 ```
 
-This will try to renew your certs every Monday night and reload NGINX while saving the log into `/var/log/letsencrypt-renewal.log`.
+This will try to renew your certs every Monday night and reload NGINX while saving the log into `/var/log/letsencrypt-renewal.log`. _(Check your log if you have issues with `vim /var/log/letsencrypt-renewal.log`)_
 
 Now test your SSL certs via [SSLLabs](https://www.ssllabs.com/ssltest/analyze.html) and your [ALPN support](https://tools.keycdn.com/http2-test).
diff --git a/README.md b/README.md
@@ -429,9 +429,9 @@ sudo crontab -e
 And add the two following lines:
 
 ```shell
-SHELL=/bin/bash #I like bash
 30 2 * * 1 root /home/deploy/letsencrypt/letsencrypt-auto renew --webroot-path /www/ >> /var/log/letsencrypt-renewal.log #runs every Monday at 2:30AM, output is saved to /var/log/letsencrypt-renewal.log
 35 2 * * 1 root /etc/init.d/nginx restart #runs every Monday at 2:35AM
+# empty line at the end
 ```
 
 This will try to renew your certs every Monday night and reload NGINX while saving the log into `/var/log/letsencrypt-renewal.log`.

diff --git a/README.md b/README.md
@@ -430,7 +430,7 @@ And add the two following lines:
 
 ```shell
 SHELL=/bin/bash #I like bash
-30 2 * * 1 root ~/letsencrypt/letsencrypt-auto renew --webroot-path /www/ >> /var/log/letsencrypt-renewal.log #runs every Monday at 2:30AM, output is saved to /var/log/letsencrypt-renewal.log
+30 2 * * 1 root /home/deploy/letsencrypt/letsencrypt-auto renew --webroot-path /www/ >> /var/log/letsencrypt-renewal.log #runs every Monday at 2:30AM, output is saved to /var/log/letsencrypt-renewal.log
 35 2 * * 1 root /etc/init.d/nginx restart #runs every Monday at 2:35AM
 ```
 

diff --git a/README.md b/README.md
@@ -431,7 +431,7 @@ And add the two following lines:
 ```shell
 SHELL=/bin/bash #I like bash
 30 2 * * 1 root ~/letsencrypt/letsencrypt-auto renew --webroot-path /www/ >> /var/log/letsencrypt-renewal.log #runs every Monday at 2:30AM, output is saved to /var/log/letsencrypt-renewal.log
-35 2 * * 1 root /etc/init.d/nginx reload #runs every Monday at 2:35AM
+35 2 * * 1 root /etc/init.d/nginx restart #runs every Monday at 2:35AM
 ```
 
 This will try to renew your certs every Monday night and reload NGINX while saving the log into `/var/log/letsencrypt-renewal.log`.

diff --git a/README.md b/README.md
@@ -430,7 +430,7 @@ And add the two following lines:
 
 ```shell
 SHELL=/bin/bash #I like bash
-30 2 * * 1 root ~/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt-renewal.log #runs every Monday at 2:30AM, output is saved to /var/log/letsencrypt-renewal.log
+30 2 * * 1 root ~/letsencrypt/letsencrypt-auto renew --webroot-path /www/ >> /var/log/letsencrypt-renewal.log #runs every Monday at 2:30AM, output is saved to /var/log/letsencrypt-renewal.log
 35 2 * * 1 root /etc/init.d/nginx reload #runs every Monday at 2:35AM
 ```
 

diff --git a/README.md b/README.md
@@ -429,8 +429,9 @@ sudo crontab -e
 And add the two following lines:
 
 ```shell
-30 2 * * 1 ~/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt-renewal.log
-35 2 * * 1 /etc/init.d/nginx reload
+SHELL=/bin/bash #I like bash
+30 2 * * 1 root ~/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt-renewal.log #runs every Monday at 2:30AM, output is saved to /var/log/letsencrypt-renewal.log
+35 2 * * 1 root /etc/init.d/nginx reload #runs every Monday at 2:35AM
 ```
 
 This will try to renew your certs every Monday night and reload NGINX while saving the log into `/var/log/letsencrypt-renewal.log`.

diff --git a/default b/default
@@ -1,4 +1,4 @@
-# NGINX CONFIG WITH HTTP/2 SUPPORT, CORES, A PROXY TO A NODE APP
+# NGINX CONFIG WITH HTTP/2 SUPPORT, CORES, A PROXY TO A NODE APP, HTTP -> HTTPS and WWW -> HTTPS redirects
 #
 # Make sure you edit the sections marked with "CHANGE THIS" comments.
 #
@@ -60,9 +60,37 @@ server {
 # http to https redirect
 #
 server {
-	listen       80;
-	server_name  [domain.tld];  #CHANGE THIS
-	return 301   https://$host$request_uri;
+	server_name  www.[domain.tld] [domain.tld];  #CHANGE THIS
+	root         /var/www/html/;
+	return 301   https://[domain.tld]$request_uri;
+}
+
+
+# www to https redirect
+#
+server {
+	listen       443 ssl;
+	listen       [::]:443 ssl;
+	server_name  www.[domain.tld];  #CHANGE THIS
+
+	ssl on;
+	ssl_certificate      /etc/letsencrypt/live/[domain.tld]/fullchain.pem;  #CHANGE THIS
+	ssl_certificate_key  /etc/letsencrypt/live/[domain.tld]/privkey.pem;  #CHANGE THIS
+	ssl_session_timeout  1d;
+	ssl_session_cache    shared:SSL:50m;
+	ssl_session_tickets  off;
+	ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
+	ssl_prefer_server_ciphers  on;
+	ssl_dhparam                /etc/nginx/ssl/dhparam.pem;  #CHANGE THIS
+	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';  #generate here: https://mozilla.github.io/server-side-tls/ssl-config-generator/
+	ssl_stapling         on;
+	ssl_stapling_verify  on;
+
+	location ~ /\.ht {
+		deny  all;
+	}
+
+	return 301  https://[domain.tld]$request_uri;  #CHANGE THIS
 }
 
 

diff --git a/README.md b/README.md
@@ -435,4 +435,4 @@ And add the two following lines:
 
 This will try to renew your certs every Monday night and reload NGINX while saving the log into `/var/log/letsencrypt-renewal.log`.
 
-Now test your SSL certs via [SSLLabs](ssllabs.com/ssltest/analyze.html) and your [ALPN support](https://tools.keycdn.com/http2-test).
+Now test your SSL certs via [SSLLabs](https://www.ssllabs.com/ssltest/analyze.html) and your [ALPN support](https://tools.keycdn.com/http2-test).
diff --git a/README.md b/README.md
@@ -384,7 +384,16 @@ sudo vim /etc/nginx/sites-available/default
 
 To delete a page in `vim` just type `:1,$d` in the command prompt. I usually write the config locally and then just past it into vim. So: copy content, open file in vim, do `:1,$d` to delete contents, type `i` to set vim into insert mode, paste.
 
-_(I've attached my basic config that works for me [below](https://gist.github.com/dominikwilkowski/435054905c3c7abc2badc92a0acff4ba#file-default))_
+_(I've attached my [basic config](https://gist.github.com/dominikwilkowski/435054905c3c7abc2badc92a0acff4ba#file-default) that works for me below, note that this config assumes SSL and the cypher below)_
+
+To create a strong cypher:
+
+```shell
+sudo mkdir /etc/nginx/ssl/
+sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
+```
+
+ _(This takes some time)_
 
 Restart the server with the new config:
 
@@ -411,13 +420,19 @@ If you are running NGINX and the loader is broken (as it is currently as of May
 ./letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory
 ```
 
-To create a strong cypher:
+Set up auto renewal. Open crontab:
 
 ```shell
-sudo mkdir /etc/nginx/ssl/
-sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
+sudo crontab -e
 ```
 
- _(This takes some time)_
+And add the two following lines:
+
+```shell
+30 2 * * 1 ~/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt-renewal.log
+35 2 * * 1 /etc/init.d/nginx reload
+```
+
+This will try to renew your certs every Monday night and reload NGINX while saving the log into `/var/log/letsencrypt-renewal.log`.
 
 Now test your SSL certs via [SSLLabs](ssllabs.com/ssltest/analyze.html) and your [ALPN support](https://tools.keycdn.com/http2-test).
diff --git a/README.md b/README.md
@@ -188,10 +188,6 @@ Modify so you have:
 RUN_DAILY="true"
 ```
 
-```shell
-sudo vim /etc/cron.daily/chkrootkit
-```
-
 To run RKHunter execute the following command as often as you update `apt-get`:
 
 ```shell

diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@
 > This is a basic collection of things I do when setting up a new headless ubuntu machine as a webserver. Following the steps below should give you a reasonable secure server with HTTP/2 support (including ALPN in chrome) and the fast NGINX server. I am happy to add things so leave a comment.
 
 
-# BASICS
+# Basics
 
 After creating the server (droplet on [DigitalOcean](https://m.do.co/c/e0de563c2962)) log in with
 
@@ -158,6 +158,48 @@ Modify so you have something like _(change `your@email.tld` to your email)_:
 /usr/sbin/logwatch --output mail --mailto your@email.tld --detail high
 ```
 
+I like to disable `/run/shm` read/write privileges as they are [not needed in a headless server](https://help.ubuntu.com/community/StricterDefaults):
+
+```shell
+sudo vim /etc/fstab
+```
+
+And add the following line:
+
+```shell
+none            /run/shm        tmpfs   defaults,ro              0       0
+```
+
+Install rootkit detection with RKHunter and CHKRootKit:
+
+```shell
+sudo apt-get install rkhunter chkrootkit
+```
+
+Configure CHKRootKit:
+
+```shell
+sudo vim /etc/chkrootkit.conf
+```
+
+Modify so you have:
+
+```shell
+RUN_DAILY="true"
+```
+
+```shell
+sudo vim /etc/cron.daily/chkrootkit
+```
+
+To run RKHunter execute the following command as often as you update `apt-get`:
+
+```shell
+sudo rkhunter --update
+```
+
+_(This will update it's database and performe a check)_
+
 
 # bash
 

diff --git a/README.md b/README.md
@@ -1,3 +1,8 @@
+# Intro
+
+> This is a basic collection of things I do when setting up a new headless ubuntu machine as a webserver. Following the steps below should give you a reasonable secure server with HTTP/2 support (including ALPN in chrome) and the fast NGINX server. I am happy to add things so leave a comment.
+
+
 # BASICS
 
 After creating the server (droplet on [DigitalOcean](https://m.do.co/c/e0de563c2962)) log in with
@@ -49,9 +54,9 @@ passwd deploy
 Add your ssh key:
 
 ```shell
-vim /home/deploy/.ssh/authorized_keys         #add your public ssh key here, copy your ssh key with: pbcopy < ~/.ssh/id_rsa.pub
+vim /home/deploy/.ssh/authorized_keys         #add your public ssh key here, copy your public ssh key from your local with: `pbcopy < ~/.ssh/id_rsa.pub`, create a new one with `ssh-keygen -t rsa`
 chmod 400 /home/deploy/.ssh/authorized_keys   #permissions
-chown deploy:deploy /home/deploy -R           #permissions
+chown deploy:deploy /home/deploy -R           #owner
 ```
 
 And add the user to the superuser group
@@ -63,8 +68,8 @@ visudo
 Add into the file:
 
 ```shell
-	root    ALL=(ALL) ALL
-	deploy  ALL=(ALL) ALL
+root    ALL=(ALL) ALL
+deploy  ALL=(ALL) ALL
 ```
 
 Disable root login and password authentication
@@ -93,7 +98,7 @@ Now test your login with the new user in a new shell:
 ssh deploy@[ID ADDRESS]
 ```
 
-If everything works with the deploy login, log out of you root session and close.
+## If everything works with the deploy login, log out of you root session and close.
 
 ----------------------------------------------------------------------------------------------------------------------------
 
@@ -134,7 +139,7 @@ Unattended-Upgrade::Allowed-Origins {
 };
 ```
 
-Now install [logwatch](https://packages.debian.org/search?keywords=logwatch):
+Now install [logwatch](https://packages.debian.org/search?keywords=logwatch):  
 _(This will typically install postfix and ask you about your mail setup)_
 
 ```shell
@@ -236,7 +241,7 @@ sudo apt-get install ntp
 
 # swapfile
 
-*Now as we all have moved to SSD servers we don't need this anymore. :)*
+*Now as we all have moved to SSD servers we don't need this anymore. :)*  
 For legacy reasons:
 
 ```shell
@@ -302,7 +307,7 @@ sudo apt-get install nodejs
 sudo apt-get install npm
 ```
 
-Because there was a name clash in the package manager we have to add a symlink to get `node` working:
+Because there was a name clash in the package manager we have to add a symlink to get the `node` namespace working:
 
 ```shell
 sudo ln -s /usr/bin/nodejs /usr/bin/node
@@ -339,9 +344,9 @@ And edit the NGINX config:
 sudo vim /etc/nginx/sites-available/default
 ```
 
-To delete a page in `vim` just type `:1,$d` in the command prompt.
+To delete a page in `vim` just type `:1,$d` in the command prompt. I usually write the config locally and then just past it into vim. So: copy content, open file in vim, do `:1,$d` to delete contents, type `i` to set vim into insert mode, paste.
 
-_(I've attached my basic config that works for me below)_
+_(I've attached my basic config that works for me [below](https://gist.github.com/dominikwilkowski/435054905c3c7abc2badc92a0acff4ba#file-default))_
 
 Restart the server with the new config:
 
@@ -352,7 +357,7 @@ sudo nginx -s reload
 
 # letsencrypt
 
-Install letsencrypt because we want to add SSL to our website right?
+Install letsencrypt because we want to add SSL to our website to secure our users right?
 
 ```shell
 cd /home/deploy/
@@ -376,3 +381,5 @@ sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
 ```
 
  _(This takes some time)_
+
+Now test your SSL certs via [SSLLabs](ssllabs.com/ssltest/analyze.html) and your [ALPN support](https://tools.keycdn.com/http2-test).
diff --git a/default b/default
@@ -1,4 +1,6 @@
-# settings
+# NGINX CONFIG WITH HTTP/2 SUPPORT, CORES, A PROXY TO A NODE APP
+#
+# Make sure you edit the sections marked with "CHANGE THIS" comments.
 #
 server_tokens  off;
 
@@ -93,7 +95,7 @@ server {
 	# root server
 	#
 	location / {
-		root   /var/www/html/;
+		root   /var/www/html/;  #CHANGE THIS
 		index  index.html index.htm;
 	}
 

diff --git a/README.md b/README.md
@@ -339,6 +339,8 @@ And edit the NGINX config:
 sudo vim /etc/nginx/sites-available/default
 ```
 
+To delete a page in `vim` just type `:1,$d` in the command prompt.
+
 _(I've attached my basic config that works for me below)_
 
 Restart the server with the new config:
@@ -366,5 +368,11 @@ If you are running NGINX and the loader is broken (as it is currently as of May
 ./letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory
 ```
 
+To create a strong cypher:
 
+```shell
+sudo mkdir /etc/nginx/ssl/
+sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
+```
 
+ _(This takes some time)_
diff --git a/README.md b/README.md
@@ -266,7 +266,6 @@ Modify so you have:
 ```shell
 anonymous_enable=NO
 write_enable=YES
-chroot_local_user=YES
 ```
 
 And restart your service:

diff --git a/README.md b/README.md
@@ -1,3 +1,5 @@
+# BASICS
+
 After creating the server (droplet on [DigitalOcean](https://m.do.co/c/e0de563c2962)) log in with
 
 ```shell
@@ -38,18 +40,18 @@ mkdir /home/deploy/.ssh
 chmod 700 /home/deploy/.ssh
 ```
 
-Add your ssh key:
+Give the new user a sudo password:
 
 ```shell
-vim /home/deploy/.ssh/authorized_keys         #add your public ssh key here, copy your ssh key with: pbcopy < ~/.ssh/id_rsa.pub
-chmod 400 /home/deploy/.ssh/authorized_keys   #permissions
-chown deploy:deploy /home/deploy -R           #permissions
+passwd deploy
 ```
 
-Give the new user a sudo password:
+Add your ssh key:
 
 ```shell
-passwd deploy
+vim /home/deploy/.ssh/authorized_keys         #add your public ssh key here, copy your ssh key with: pbcopy < ~/.ssh/id_rsa.pub
+chmod 400 /home/deploy/.ssh/authorized_keys   #permissions
+chown deploy:deploy /home/deploy -R           #permissions
 ```
 
 And add the user to the superuser group
@@ -91,6 +93,279 @@ Now test your login with the new user in a new shell:
 ssh deploy@[ID ADDRESS]
 ```
 
+If everything works with the deploy login, log out of you root session and close.
+
+----------------------------------------------------------------------------------------------------------------------------
+
+## NOW LOGIN WITH DEPLOY AND INSTALL EVERYTHING WITH DEPLOY
+
+Install [unattended-upgrades](https://packages.debian.org/unattended-upgrades)
+
+```shell
+sudo apt-get install unattended-upgrades
+```
+
+Edit what is updated:
+
+```shell
+sudo vim /etc/apt/apt.conf.d/10periodic
+```
+
+Modify so you have:
+
+```shell
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";
+```
+
+and specify what upgrades should be done:
+
+```shell
+sudo vim /etc/apt/apt.conf.d/50unattended-upgrades
+```
+
+The default here is often fine:
+
+```shell
+Unattended-Upgrade::Allowed-Origins {
+        "${distro_id}:${distro_codename}-security";
+};
+```
+
+Now install [logwatch](https://packages.debian.org/search?keywords=logwatch):
+_(This will typically install postfix and ask you about your mail setup)_
+
+```shell
+sudo apt-get install logwatch
+```
+
+Now edit what to do with the logs. I usually have them send to my email to sort them into a folder there:
+
+```shell
+sudo vim /etc/cron.daily/00logwatch
+```
+
+Modify so you have something like _(change `your@email.tld` to your email)_:
+
+```shell
+/usr/sbin/logwatch --output mail --mailto your@email.tld --detail high
+```
+
+
+# bash
+
+I like to change the shell to bash as that's what I like.
+
+```shell
+sudo apt-get install csh
+sudo chsh -s /bin/bash deploy
+```
+
+_(see after reconnect)_
+
+
+# firewall
+
+First make sure you have IPv6 enabled:
+
+```shell
+sudo vim /etc/default/ufw
+```
+
+It should say:
+
+```shell
+IPV6=yes
+```
+
+Then make sure you are not locked out:
+
+```shell
+sudo ufw allow ssh
+```
+
+I would also usually do:
+
+```shell
+sudo ufw allow https
+sudo ufw allow http
+sudo ufw allow ftp
+```
+
+Then enable the firewall:
+
+```shell
+sudo ufw enable
+```
+
+And to make sure you have everything enabled and no useless ports open:
+
+```shell
+sudo ufw status
+```
+
+To reload the firewall you can:
+
+```shell
+sudo ufw reload
+```
+
+And to see the log you do:
+
+```shell
+sudo grep UFW /var/log/syslog
+```
+
+
+# timezone
+
+To set your correct timezone:
+
+```shell
+sudo dpkg-reconfigure tzdata
+```
+
+Install the time protocol daemon
+
+```shell
+sudo apt-get install ntp
+```
+
+
+# swapfile
+
+*Now as we all have moved to SSD servers we don't need this anymore. :)*
+For legacy reasons:
+
+```shell
+get memory with `free -m`
+sudo fallocate -l 1G /swapfile
+sudo chmod 600 /swapfile
+sudo mkswap /swapfile
+sudo swapon /swapfile
+sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'
+```
+
+
+# FTP
+
+```shell
+sudo apt-get install vsftpd
+```
+
+Edit the config:
+
+```shell
+sudo vim /etc/vsftpd.conf
+```
+
+Modify so you have:
+
+```shell
+anonymous_enable=NO
+write_enable=YES
+chroot_local_user=YES
+```
+
+And restart your service:
+
+```shell
+sudo service vsftpd restart
+```
+
+_(connection via SFTP)_
+
+
+# git
+
+Install git if it isn't already:
+
+```shell
+sudo apt-get install git
+```
+
+And set your account:
+
+```shell
+git config --global user.name "Your Name"
+git config --global user.email "youremail@domain.com"
+```
+
+
+# node
+
+Install node and NPM:
+
+```shell
+sudo apt-get install nodejs
+sudo apt-get install npm
+```
+
+Because there was a name clash in the package manager we have to add a symlink to get `node` working:
+
+```shell
+sudo ln -s /usr/bin/nodejs /usr/bin/node
+```
+
+
+# nginx
+
+Install your server of choice. NGINX is what I like:
+
+```shell
+sudo apt-get install nginx
+```
+
+For HTTP/2 to be supported you will need to check the version of NGINX and openSSL:
+
+```shell
+nginx -v
+openssl version
+```
+
+_NGINX needs to be at least 1.9.5 or above and OpenSSL needs to be at least 1.0.2 or above ([for ALPN to work in chrome](http://blog.chromium.org/2016/02/transitioning-from-spdy-to-http2.html))._
+
+Create a symlink to get to your html folder quickly and give permission:
+
+```shell
+sudo ln -s /var/www/html/ /www
+sudo chown deploy:deploy /var/www/html/ -R
+```
+
+And edit the NGINX config:
+
+```shell
+sudo vim /etc/nginx/sites-available/default
+```
+
+_(I've attached my basic config that works for me below)_
+
+Restart the server with the new config:
+
+```shell
+sudo nginx -s reload
+```
+
+
+# letsencrypt
+
+Install letsencrypt because we want to add SSL to our website right?
+
+```shell
+cd /home/deploy/
+git clone https://github.com/letsencrypt/letsencrypt
+cd letsencrypt
+./letsencrypt-auto --help
+./letsencrypt-auto
+```
+
+If you are running NGINX and the loader is broken (as it is currently as of May 2016) run:
+
+```shell
+./letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory
+```
 
 
 
diff --git a/default b/default
@@ -0,0 +1,107 @@
+# settings
+#
+server_tokens  off;
+
+# prevent clickjacking attacks
+add_header  X-Frame-Options SAMEORIGIN;
+
+# disallow circumventing declared MIME types
+add_header  X-Content-Type-Options nosniff;
+
+# X-XSS-Protection
+add_header  X-XSS-Protection '1; mode=block';
+
+# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+add_header  Strict-Transport-Security 'max-age=31536000; includeSubDomains;' always;
+
+# CORS
+add_header  'Access-Control-Allow-Origin' '*';
+add_header  'Access-Control-Allow-Credentials' 'true';
+add_header  'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+add_header  'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+
+
+# node proxy
+#
+server {
+	listen       8080;
+	server_name  [YOUR IP];  #CHANGE THIS
+	access_log   /var/log/nginx/nodeApp.log;
+	error_page   400 401 402 403 404 405 500 501 502 503 504  @error_page;
+
+	# fallback page when node app is off
+	#
+	location     @error_page {
+		root       /var/www/html/;
+		internal;
+		rewrite ^  [https://domain.tld/error.html];  #CHANGE THIS
+		break;
+	}
+
+	location / {
+		proxy_redirect          off;
+		proxy_pass_header       Server;
+		proxy_set_header        X-Real-IP $remote_addr;
+		proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header        X-Scheme $scheme;
+		proxy_set_header        Host $http_host;
+		proxy_set_header        X-NginX-Proxy true;
+		proxy_connect_timeout   5;
+		proxy_read_timeout      240;
+		proxy_intercept_errors  on;
+
+		proxy_pass              http://127.0.0.1:1337; #the nodeApp is listening on port 1337 internally only (make sure port 1337 is denied by ufw)
+	}
+}
+
+
+# http to https redirect
+#
+server {
+	listen       80;
+	server_name  [domain.tld];  #CHANGE THIS
+	return 301   https://$host$request_uri;
+}
+
+
+# ssl and http2 config
+#
+server {
+	listen       443 ssl http2;
+	listen       [::]:443 ssl http2;
+	server_name  [domain.tld];  #CHANGE THIS
+	root         /var/www/html/;
+
+	ssl on;
+	ssl_certificate      /etc/letsencrypt/live/[domain.tld]/fullchain.pem;  #CHANGE THIS
+	ssl_certificate_key  /etc/letsencrypt/live/[domain.tld]/privkey.pem;  #CHANGE THIS
+
+	ssl_session_timeout  1d;
+	ssl_session_cache    shared:SSL:50m;
+	ssl_session_tickets  off;
+
+	ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
+	ssl_prefer_server_ciphers  on;
+	ssl_dhparam                /etc/nginx/ssl/dhparam.pem;  #CHANGE THIS
+	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';  #generate here: https://mozilla.github.io/server-side-tls/ssl-config-generator/
+
+	# OCSP Stapling ---
+	# fetch OCSP records from URL in ssl_certificate and cache them
+	ssl_stapling         on;
+	ssl_stapling_verify  on;
+
+	# root server
+	#
+	location / {
+		root   /var/www/html/;
+		index  index.html index.htm;
+	}
+
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	location ~ /\.ht {
+		deny  all;
+	}
+}
diff --git a/README.md b/README.md
@@ -76,7 +76,7 @@ Edit:
 ```shell
 PermitRootLogin no
 PasswordAuthentication no
-AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)
+AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)    #you can even whitelist IPs from where you connect from (optional)
 ```
 
 Restart the ssh service

diff --git a/README.md b/README.md
@@ -0,0 +1,96 @@
+After creating the server (droplet on [DigitalOcean](https://m.do.co/c/e0de563c2962)) log in with
+
+```shell
+ssh root@[IP ADDRESS]
+```
+
+Once inside the machine set a password for root:
+
+```shell
+passwd
+```
+
+Update your package manager:
+
+```shell
+apt-get update
+apt-get upgrade
+```
+
+Install [fail2ban](http://www.fail2ban.org/):
+
+```shell
+apt-get install fail2ban
+```
+
+Install vim:
+
+```shell
+apt-get install vim vim-scripts vim-doc vim-latexsuite vim-gui-common vim-gnome vim-gtk
+```
+
+Create a new user:
+
+```shell
+useradd deploy
+mkdir /home/deploy
+mkdir /home/deploy/.ssh
+chmod 700 /home/deploy/.ssh
+```
+
+Add your ssh key:
+
+```shell
+vim /home/deploy/.ssh/authorized_keys         #add your public ssh key here, copy your ssh key with: pbcopy < ~/.ssh/id_rsa.pub
+chmod 400 /home/deploy/.ssh/authorized_keys   #permissions
+chown deploy:deploy /home/deploy -R           #permissions
+```
+
+Give the new user a sudo password:
+
+```shell
+passwd deploy
+```
+
+And add the user to the superuser group
+
+```shell
+visudo
+```
+
+Add into the file:
+
+```shell
+	root    ALL=(ALL) ALL
+	deploy  ALL=(ALL) ALL
+```
+
+Disable root login and password authentication
+
+```shell
+vim /etc/ssh/sshd_config
+```
+
+Edit:
+
+```shell
+PermitRootLogin no
+PasswordAuthentication no
+AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)
+```
+
+Restart the ssh service
+
+```shell
+service ssh restart
+```
+
+Now test your login with the new user in a new shell:
+
+```shell
+ssh deploy@[ID ADDRESS]
+```
+
+
+
+
No results found