New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I have a setup script that I use everywhere, so it's just
wget -O- https://secret.url/setup.sh | WG=11 shfor me. That sets up all my base stuff that I have on every server - locks down iptables so SSH is only from trusted IPs, sets up SSH, does apt upgrade and installs common packages, sets up wireguard (the WG parameter is the subnet) and finally sets up borg backup and zabbix.I then have a couple of specialisations - a virsh setup script for dedis or reasonably large VPS, and that sets up a bunch of different subnets for different protection zones, firewall rules for those zones between different wireguard hosts, and adds some more iptables rules to forward HTTP(S), DNS, internal webapp ports etc to a particular IPs on the various zone subnets. Then when I run my one line script to create each VM I want on that machine, the rules are already in place.
For the VMs themselves, there are similar setup scripts for haproxy (also designed to work on a bare VPS too), web app setup, etc...
I've still got a few manual tasks for each new host, like adding it to DNS, adding the borg rules to SSH auth on the various targets, manually adding to zabbix server, copying the generated wireguard block to existing host configs, adding any new haproxy VM to my certbot copying script and editing the haproxy to point to the closest web server / web apps in the default pool. But generally it only takes about 30 minutes when I get a new machine to having it functional. I would have automated more or that, but I've slowed right down in acquiring new hosts now, so might as well leave it as is.
For me the best reason for doing it this way is that everything ends up repeatably the same and e.g. all my haproxies and webapps have the same final octets in IP (apart from the first 2 machines that are still on older manual configs), and so the wireguard IPs all differ only by the subnet ID. Also, automating the firewall rules means that I know e.g. that the web app VMs can only talk to each other and via the single opened port for haproxy.
Over time I've added guards to the scripts, so they don't recreate configuration files that already exist (so e.g. keys and wireguard configs don't get trashed). But that also means I can ensure specific things are fully up to date by just re-running the setup script again, even on a live server. If I'm iterating on something, e.g. when I was adding zabbix to the setup, I can just restore the system zabbix file from the backup made by my script and it'll redo that entire step.
At some point I should learn how to use ansible for some of these tasks, but I've always felt more comfortable rolling my own scripts.
YABSdb
curl -sL yabs.sh | bash -s -- -s "https://yabsdb.com/add"Check if port 25 is open
Open BBR and run YABS
Check IPHM & port 25
yabs
Can u share ?
Kind regards ,
Alex
Setting up a new server takes me a couple of days to ensure high performance and strong security. Because my servers host news websites, they are frequent targets, so I rely on my own security setup and Cloudflare rather than the hosting provider.
I hide the real IP using an IPv6/NAT-like setup and keep the server minimal to reduce risks and resource usage. I host only a few sites on high-spec dedicated servers, not VPSs. In 16 years, my sites have never been hacked.
I hosted with Contabo for 9 years, then another provider for 4 years, and later BinaryRacks, where my server ran for 624 days with 100% uptime. This month, I moved to Hetzner for AMD servers.
PS: I don’t use YAPS; I’m launching my own platform soon, which will replace it and other control panels.