Instruction for prepare a private Ubuntu 15.04 server for handle node app with a mongo base

## Security install ssh with root account on your server

$ apt-get update
$ apt-get install sudo

### Create a user with sudo right

$ adduser YOUR_USER_NAME
$ adduser YOUR_USER_NAME sudo

It's more secure to change port number for ssh (it avoid you most of auto attack).

We also deny root access by ssh

$ vi /etc/ssh/sshd_config

• Change Port value (for example 2222)
• Pass PermitRootLogin to no /!\ Be sure to have an other user !
• Restart ssh

$ /etc/init.d/ssh restart

/!\ After changing the Port value you will have to precise the port you define to connect via ssh.

We will use iptable for this.

$ apt-get install iptables
$ vi /etc/init.d/firewall

Copy from my repo the firewall.sh content in the new file

• By default we close all ports, and reopen only necessary ones.
• /!/!\ Think about changing the ssh port number in the file from the one you choose in previous step (line 33-34)
• Make the file executable

$ chmod +x /etc/init.d/firewall

• Launch it

$ /etc/init.d/firewall

• Add it to boot script (Ubuntu 14 version)

$ update-rc.d firewall defaults

• Add it to boot script (Ubuntu 15 version) Add the line in /etc/rc.local

$ sudo /etc/init.d/firewall

$ apt-get install portsentry

• Edit /etc/portsentry/portsentry.ignore and add your local IP (if no, you will be blocked !)
• Edit /etc/default/portsentry and put this content

TCP_MODE="atcp"
UDP_MODE="audp"

• Edit /etc/portsentry/portsentry.conf file
  • Modify ``IGNORE OPTION` by (default value is 0)

  BLOCK_UDP="1"
  BLOCK_TCP="1"
  

  • Comment KILL_HOSTS_DENY lines
  • Because we use iptables, comment all lines begining with KILL_ROUTE” EXCEPT KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
• Restart service

$ service portsentry restart

TO DO

Now, always connect with the user you create

TODO

• Generate a ssk_key if you have not one

$ ssh-keygen -t dsa

• Add the key to your server (replace the path)

$ ssh-copy-id -i ~/.ssh/your_key.pub user@machine -p 2222

$ sudo apt-get install git

## Install node Connect via ssh to your server, using the user you create (and not root). Care about precising the ssh port you define

$ ssh my_user@mon_ip -p 2222

$ sudo useradd nodejs
$ sudo su nodejs

### Create directory and npm config

• Create a local directory

$ mkdir ~/.local

• Create a .npmrc file and put the content of .npmrc of this repo

$ vi ~/.npmrc

### Download and install node

• Install necessary librairy

$ sudo apt-get install -y gcc g++ python clang make

• Go to node download page, and find the download link to the version you want.

$ wget https://nodejs.org/dist/v4.2.4/node-v4.2.4.tar.gz

• Unzip the files and go to directory

$ tar -xzvf node-v4.2.4.tar.gz
$ cd ~/node-v4.2.4

• Configure the build

$ ./configure --prefix=~/.local

• Build and install (may be long)

$ make
$ make install

• Add some symbolic for node modules

$ ln -s ~/.local/lib/node_modules ~/.node_modules

• Add node bin to your PATH Add this to the .bashrc

export PATH=$HOME/.local/bin:$PATH

• Check if everything is ok

$ node -v
$ npm -v

• Clean

$ rm -R /home/nodejs/node-0.10.29
$ rm /home/nodejs/v0.10.29.tar.gz

• Now for using node, connect as nodejs user !

## Install and configure nginx for proxy your node app Nginx is a good solution to redirect all http port ### Install nginx

$ sudo apt-get install nginx

• Add my-nginx.conf of this repo to your /etc/nginx/site-available folder, and add a symlink in /etc/nginx/site-enabled folder.

Change the domain name and the port.

$ sudo ln -s /etc/nginx/sites-available/my-nginx.conf /etc/nginx/sites-enabled

• Remove default config

$ sudo rm /etc/nginx/sites-enabled/default

• Restart nginx

$ sudo service nginx reload

to do

## Install pm2, to run your node app

• Log as your node user

$ sudo su nodejs

• Install pm2

$ npm install -g pm2

• Add pm2 to boot script

$ pm2 startup

And execute the script prompted (with a sudo user)

• (Optional) Use keymetrics Go to Keymetrics, create an account, and in your server, tap the command provided to enable access to your server.

You can now install lot of plugins ! Personnaly I install logrotate, server monitoring, and mongo modules for example. You can install it directly by command lines in your server, or by clicking on the keymetrics site

/!\ You need to have open certain port, see keymetrics recommandations, and configure your firewall (already done for my file, but may be the port is different)

It really depend of the version on your server. These instructions are specific for Ubuntu 15.04.

There is some compatibily problem with Ubuntu 15.04, here is a link to a solution, which consist of (install the debian version)[https://docs.mongodb.org/manual/tutorial/install-mongodb-on-debian/].

$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927
$ echo "deb http://repo.mongodb.org/apt/debian wheezy/mongodb-org/3.2 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list
$ sudo apt-get update
$ sudo apt-get install -y mongodb-org
$ sudo service mongod start

• Create an admin user

$ mongo
>
use admin
db.createUser(
  {
    user: "myUserAdmin",
    pwd: "abc123",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

• Change the configuration for use authentication

$ sudo vi /etc/mongod.conf

Add these lines

security:
  authorization: enabled

• Restart mongo

$ sudo service mongod restart

• Check if it's ok.

$ mongo
> db.getUsers()

You will see an error.

$ mongo -u "myUserAdmin" --authenticationDatabase "admin" -p
> db.getUsers()

Everything ok

• Create a database for your application

$ mongo -u "myUserAdmin" --authenticationDatabase "admin" -p
> use myApplicationDB

• Create a user with the good right (read, readWrite, or write)

>
db.createUser(
    {
      user: "myAppUser",
      pwd: "secretPWD",
      roles: [
         { role: "readWrite", db: "myApplicationDB" }
      ]
    }
)