Internet Services running on my VM

Internet services I needed to configure on my virtual cloud server, for the whistl.com domain.

security:
– ufw firewall
– fail2ban block attackers for all online services
remote-access:
– openssh ssh server
– openvpn VPN server
web-server:
– mysqld/mariadb database server
– nginx web server
– php programming language
– php-fpm fastcgi php module
– proftpd ftp server
ssl-certificates:
– letsencrypt-certbot
email:
– dovecot imap server
– postfix mailer daemon
– amavisd mail filter service
– clamav anti-virus service
– spamassassin anti-spam service

Command line utilities I can’t live without:

– screen virtual terminal manager
– htop system monitor
– dstat system monitor
– tcpdump cli network traffic capture utility
– expect interactive tty user emulator

2 thoughts on “Internet Services running on my VM

  1. whistl Post author
    root@whistl:~# ufw status numbered
    Status: active
    
         To                         Action      From
         --                         ------      ----
    [ 1] 20:21/tcp                  ALLOW IN    Anywhere                  
    [ 2] 22/tcp                     ALLOW IN    Anywhere                  
    [ 3] 25/tcp                     ALLOW IN    Anywhere                  
    [ 4] 80/tcp                     ALLOW IN    Anywhere                  
    [ 5] 143/tcp                    ALLOW IN    Anywhere                  
    [ 6] 443/tcp                    ALLOW IN    Anywhere                  
    [ 7] 587/tcp                    ALLOW IN    Anywhere                  
    [ 8] 993/tcp                    ALLOW IN    Anywhere                  
    [ 9] 20:21/tcp (v6)             ALLOW IN    Anywhere (v6)             
    [10] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
    [11] 25/tcp (v6)                ALLOW IN    Anywhere (v6)             
    [12] 80/tcp (v6)                ALLOW IN    Anywhere (v6)             
    [13] 143/tcp (v6)               ALLOW IN    Anywhere (v6)             
    [14] 443/tcp (v6)               ALLOW IN    Anywhere (v6)             
    [15] 587/tcp (v6)               ALLOW IN    Anywhere (v6)             
    [16] 993/tcp (v6)               ALLOW IN    Anywhere (v6)             
    
  2. whistl Post author

    I’m running proftpd FTP server (TCP ports 20, 21), openssh login server (22), postfix SMTP email server (25, 587), nginx and php-fpm web server (80,443), and dovecot IMAP email server (143,993). The duplicate (v6) rules are because this cloud virtual server supports both standard IPv4 and the newer IPv6 clients.

    I’ve no illusions that exposing this kind of detailed technical information only aides any potential attackers, but I figure it also helps other sysadmins who want to replicate this kind of inexpensive personal domain hosting provider. If the software has a bug, let’s find it. If it’s my configuration, again, I take regular backups, I trust them. Let’s find the holes.

    Maybe next year, before my one year subscription to cloudns.net runs out, I might try out Amazon Route 53 DNS servers for my domains. I like cloudns well enough, and have found them very reliable, but they are a small orgnization, so I worry about the distribution of their connectivity, and the ability to cope with the inevitable ddos attacks. They aren’t terribly transparent about where their 4 std and 4 premium dns servers are located around the globe. I’m imagining it’s probably 4, or maybe 8, data centers around North America and Europe, which is good enough for me. I doubt I get any overseas connections, beyond the odd linux geek looking for one of my technical blog posts. I don’t need to worry about optimizing for Russia, China, India, or other overseas traffic, I just mean. But Route 53 has other benefits, beyond the admirable goal of managing your entire Internet site through the aws management console website.

    My next week’s goal is to have a multi-domain email and web server solution, so all of my domain names can use my same nginx, dovecot and postfix solutions. I think that would be more resource efficient than reproducing whistl.com as whistl.us and whistl.me. Why not have they all co-hosted on the same virtual server, with multiple virtual domains configured in nginx, postfix and dovecot. I will have to look into dovecot, see if it even supports mysql user and domain databases, or if I need to run openldap and setup ldap support in dovecot.

    I’m also imagining an X.509 client SSL certificate authenticated openvpn server in my future.

Comments are closed.