Selected VPS: Linode, 1GB Ram, 20 GB SSD, 1 TB transfer
OS: Ubuntu 17.04
Web Server: Ngnix
If you’d like to try Linode, I would greatly appreciate using this referral link – Linode: SSD Cloud Hosting & Linux Servers
Start with regular updates
apt-get update && apt-get upgrade
Set up fail2ban and Firewall
I’m installing fail2ban 0.10 since it supports ipv6. At the time of this post, it is not available as a regular package.
wget https://github.com/fail2ban/fail2ban/archive/0.10.0.tar.gz
tar -xvzf 0.10.0.tar.gz
python3 setup.py install
#To enable fail2ban as an automatic service, copy the script for your distro from the files directory to /etc/init.d.
cp files/debian-initd /etc/init.d/fail2ban
update-rc.d fail2ban defaults
service fail2ban start
#Add local jail
awk '{ printf "# "; print; }' /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local
vim /etc/fail2ban/jail.local
uncomment sshd section and add
enabled = true
sudo apt-get install sendmail iptables-persistent sudo service fail2ban start
Firewall ( allow established connections, traffic generated by the server itself, traffic destined for our SSH and web server ports. We will drop all other traffic):
sudo service fail2ban stop sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT sudo iptables -A INPUT -j DROP # easy way to rate-limit ssh with ufw: # technically, we could do all of the iptables stuff with ufw ufw enable ufw limit ssh
If using IPv6:
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT # (replace with your undisclosed port) ip6tables -A INPUT -p icmpv6 -j ACCEPT ip6tables -A INPUT -j REJECT ip6tables -A FORWARD -j REJECT
View iptables rules:
sudo iptables -S
Save iptables rules:
sudo dpkg-reconfigure iptables-persistent sudo service fail2ban start
SSH
vim /etc/ssh/sshd_config #Add or uncomment (if using Ubuntu < 17.04) protocol 2 #Add allowed ciphers Ciphers aes128-ctr,aes192-ctr,aes256-ctr KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 MACs hmac-sha2-256,hmac-sha2-512
Restart and test ssh config:
service sshd restart #returns nothing if everything configured properly sshd -t
NGINX
sudo apt-get install software-properties-common sudo add-apt-repository ppa:nginx/stable sudo apt-get install nginx service nginx status
Update /etc/nginx/sites-enabled/default
root /var/www/html/your_site;
location / {
# Some comments...
try_files $uri /index.html; # ADD THIS
}
sudo service nginx restart
Installing React Dependencies
# install yarn curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list sudo apt-get update && sudo apt-get install yarn #install node (apt-get repo has an older version of Node) curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash - sudo apt-get install -y nodejs sudo apt-get install -y build-essential
GIT Push Deploy
Let’s set up git on the server
apt-get install git-core mkdir repos && cd repos mkdir your_site.git cd your_site.git git init --bare
Set up a post-push hook
cd /repos/your_app.git/hooks
touch post-receive
#!/bin/bash -l GIT_REPO=$HOME/repos/your_app.git TMP_GIT_CLONE=$HOME/tmp/git/your_app PUBLIC_WWW=/var/www/html git clone $GIT_REPO $TMP_GIT_CLONE cd $TMP_GIT_CLONE yarn install yarn build rm -rf $PUBLIC_WWW/your_app_bup mv $PUBLIC_WWW/your_app $PUBLIC_WWW/your_app_bup cp -a build/. $PUBLIC_WWW/your_app rm -Rf $TMP_GIT_CLONE exit
Run on post-receiv:
chmod +x post-receive
On your local machine:
git remote add linode [email protected]_server_address:repos/your_app.git git push linode master