Browse Source

start a guide on building a git server

pull/1/head
Craig Stewart 2 years ago
parent
commit
535765cc2f
5 changed files with 290 additions and 0 deletions
  1. +54
    -0
      guides/building-a-git-repo/index.html
  2. +63
    -0
      guides/building-a-git-repo/other-considerations.html
  3. +114
    -0
      guides/building-a-git-repo/secure-start.html
  4. +52
    -0
      guides/index.html
  5. +7
    -0
      styles/default.css

+ 54
- 0
guides/building-a-git-repo/index.html View File

@@ -0,0 +1,54 @@
<!DOCTYPE html>
<html lang="en">
<head>
<link href="/styles/default.css" rel="stylesheet" type="text/css" />
<title>
Building A git Repository Server using Gitea on Debian
</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
</head>
<body>
<div id="wrapper">
<div id="header">
<h1>
Building A git Repository Server
</h1>
</div>
<div id="layout">
<div id="navigation">
<p class="link">
<a href="/index.html">
Home
</a>
</p>
<p class="link">
<a href="/about.html">
About Me
</a>
</p>
<p class="link">
<a href="/contact.html">
Contact Me
</a>
</p>
<!--<p class="link">
<a href="/cv.html">
My CV
</a>
</p>-->
<p class="link">
<a href="https://www.craig-james-stewart.co.uk/blog/">
My Blog
</a>
</p>
</div>
<div id="content">
<p>In this guide I am going to do my best to set up a hosted git server using <a href="https://gitea.io/en-US/" title="Gitea - Git with a cup of tea">Gitea</a> and running on <a href="https://www.debian.org/" title="Debian -- The Universal Operating System">Debian</a> in a secure way. Please do make sure you understand the implications of my advice, and follow best practises if you choose to follow this guide.</p>
<p>That said, lets get started. The guide is broken down into steps, so that it is easier to follow.</p>
<p><a href="/guides/building-a-git-repo/secure-start.html" title="Starting With a Secure Base">Starting With a Secure Base</a></p>
<p><a href="/guides/building-a-git-repo/other-considerations.html" title="Other Considerations">Other Considerations</a></p>
</div>
</div>
</div>
</body>
</html>

+ 63
- 0
guides/building-a-git-repo/other-considerations.html View File

@@ -0,0 +1,63 @@
<!DOCTYPE html>
<html lang="en">
<head>
<link href="/styles/default.css" rel="stylesheet" type="text/css" />
<title>
Other Considerations
</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
</head>
<body>
<div id="wrapper">
<div id="header">
<h1>
Other Considerations
</h1>
</div>
<div id="layout">
<div id="navigation">
<p class="link">
<a href="/index.html">
Home
</a>
</p>
<p class="link">
<a href="/about.html">
About Me
</a>
</p>
<p class="link">
<a href="/contact.html">
Contact Me
</a>
</p>
<!--<p class="link">
<a href="/cv.html">
My CV
</a>
</p>-->
<p class="link">
<a href="https://www.craig-james-stewart.co.uk/blog/">
My Blog
</a>
</p>
</div>
<div id="content">
<p>These are things worth thinking about, but by now the server should be working.</p>
<h2>Backups</h2>
<p>We have set up a single server, if something goes wrong it not only goes offline, but we risk losing any data not kept elsewhere. Git by it's nature is distributed, but only when the code is checked out, and in use. I'm not going to offer a guide to setting up backups here, there are numerous ways to do so. Most hosting providers will offer some form of backup option for an extra fee for example. Please do think about this, and set up some backups or you risk losing data.</p>
<h2>ssh keys</h2>
<p>So you have a user account that you ssh too, and that account is using a secure password (hopefully). However ssh keys are a more secure way of authenticating against a host. To set up ssh key based authentication on your local host you need to generate an ssh public and private key pair, how will depend on your platform of choice. Then when you log into your server you will need to create an authorized_keys file using the folowing comands</p>
<pre>mkdir ~/.ssh
touch ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh</pre>
<p> you will then need to edit ~/.ssh/authorized_keys and put the contents of the public key file you generated earlier in there, one key per line. Each key that you add will be able to login to that user account.</p>
<h2>Time Keeping</h2>
<p></p>
<p style="text-align:center;"><a href="/guides/building-a-git-repo/" title="Building A git Repository Server" style="display:inline">Back</a></p>
</div>
</div>
</div>
</body>
</html>

+ 114
- 0
guides/building-a-git-repo/secure-start.html View File

@@ -0,0 +1,114 @@
<!DOCTYPE html>
<html lang="en">
<head>
<link href="/styles/default.css" rel="stylesheet" type="text/css" />
<title>
Starting With a Secure Base
</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
</head>
<body>
<div id="wrapper">
<div id="header">
<h1>
Starting With a Secure Base
</h1>
</div>
<div id="layout">
<div id="navigation">
<p class="link">
<a href="/index.html">
Home
</a>
</p>
<p class="link">
<a href="/about.html">
About Me
</a>
</p>
<p class="link">
<a href="/contact.html">
Contact Me
</a>
</p>
<!--<p class="link">
<a href="/cv.html">
My CV
</a>
</p>-->
<p class="link">
<a href="https://www.craig-james-stewart.co.uk/blog/">
My Blog
</a>
</p>
</div>
<div id="content">
<p>So to start we need a hosted server, I'm using a virtual private server from <a href="https://www.linode.com/" title="SSD Cloud Hosting &amp;amp; Linux Servers - Linode">Linode</a>, but any suitable hosting provider will do. Linode includes a number of Operating Systems you can install with one touch, and I'm using their Debian 9 image, so installing Debian is outside the scope of this guide. Our first steps once the server is built should be to make sure that it is reasonably secure, so first turn off access to the root user over ssh using a password (I'm not happy that the default setting has this set to yes, but given the base image doesn't include any none system user accounts it's a compromise) by editing /etc/ssh/sshd_config and changing the line </p>
<pre>PermitRootLogin yes</pre>
<p>to</p>
<pre>PermitRootLogin no</pre>
<p>and restart the ssh daemon.</p>
<pre>service ssh restart</pre>
<p>Then add a user so that you can get onto the server without having to login as root.</p>
<pre>useradd user</pre>
<p>This will prompt you for the new user's password, this should be a good strong password, I suggest using a password manager for this, I use <a href="https://keepass.info/" title="KeePass Password Safe">KeePass</a> (also you don't have to use &quot;user&quot; as the username, that's just an example).</p>
<p>Now is a good time to install some packages for security, fail2ban to stop our user password being cracked by brute forced, iptables to protect us from opening services unexpectedly, and iptables-persistent to allow the rules we set to persist over reboots.</p>
<pre>apt-get install fail2ban iptables iptables-persistent</pre>
<p>The default settings for fail2ban on debian protect ssh, but we will add new settings later, iptables default settings are quite permissive however so these will need changing. The following commands will set what I expect to be a reasonably secure set of rules, blocking lots of incoming and outgoing network connections we don't want, whilst allowing those that we do.</p>
<pre>iptables -F
ip6tables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
iptables -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
ip6tables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
ip6tables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 123 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 123 -j ACCEPT
ip6tables -A OUTPUT -p udp -o eth0 --dport 123 -j ACCEPT
ip6tables -A INPUT -p udp -i eth0 --sport 123 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables-save &gt; /etc/iptables/rules.v4
ip6tables-save &gt; /etc/iptables/rules.v6
</pre>
<p>This will clear the current rules, and set the default action for incoming and outgoing connection to DROP, so if we don't allow it the connection doesn't happen. We allow some basics like connections that are already established, internal loopback connections, DNS and NTP requests going out and responses coming back over UDP, and DNS requests over TCP going out. We then allow the server to make HTTP and HTTPS requests, which we need for package management, and allow SMTP connections out, as we will probably want to allow this server to send emails. Finally we allow incoming connections to SSH HTTP and HTTPS, which will all be used for hosting our Git Repository server, and set these rules to be persistent.</p>
<p>Up till now we have been logged in as root, and run all our commands as root, but once we log off we cannot log back in as root, we saw to that earlier. We can log in as our user, and use the command su to escalate our session to root, but that isn't the most secure way to manage our server, so next we need to install sudo, and configure it to allow our user to run commands as root.</p>
<pre>apt-get install sudo
usermod -aG sudo user</pre>
<p>Under a default debian install this will install sudo, create the sudo group, and give permission to that group to use sudo to run commands as root. We are then adding our user to the sudo group. Next time you log in you will be able to use sudo to run commands as root. (substitute "user" for the username you created earlier)</p>
<p>We now have what should be a reasonably secure base to start building our git server.</p>
<p style="text-align:center;"><a href="/guides/building-a-git-repo/" title="Building A git Repository Server" style="display:inline">Main Page</a></p>
</div>
</div>
</div>
</body>
</html>

+ 52
- 0
guides/index.html View File

@@ -0,0 +1,52 @@
<!DOCTYPE html>
<html lang="en">
<head>
<link href="/styles/default.css" rel="stylesheet" type="text/css" />
<title>
Instructional Guides
</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
</head>
<body>
<div id="wrapper">
<div id="header">
<h1>
Instructional Guides
</h1>
</div>
<div id="layout">
<div id="navigation">
<p class="link">
<a href="/index.html">
Home
</a>
</p>
<p class="link">
<a href="/about.html">
About Me
</a>
</p>
<p class="link">
<a href="/contact.html">
Contact Me
</a>
</p>
<!--<p class="link">
<a href="/cv.html">
My CV
</a>
</p>-->
<p class="link">
<a href="https://www.craig-james-stewart.co.uk/blog/">
My Blog
</a>
</p>
</div>
<div id="content">
<p>These guides are intended for people who understand what they are doing with web hosting, and have experience of managing linux servers. I do not offer guarantees of completeness or security on the end results. Follow them at your own risk.</p>
<p><a href="/guides/building-a-git-repo/" title="Building A git Repository Server using Gitea on Debian">Building A git Repository Server using Gitea on Debian</a></p>
</div>
</div>
</div>
</body>
</html>

+ 7
- 0
styles/default.css View File

@@ -22,6 +22,13 @@ p {
div {
margin:0;
}
pre {
text-align:left;
margin:5px;
background-color:#000000;
color:#ffffff;
overflow:auto;
}
#wrapper {
background-color:#dddd99;
}


Loading…
Cancel
Save