slicehost configuration

general = { about, articles, links, projects } meta = { date-posted: 2007-08-31 }

This is a merger of a few earlier articles on various portions of my Slicehost configuration. I merged them so they would be easier to find, and provide a potentially superior resource.

Some of my configuration has since changed, due to Slicehost adding support for Archlinux. :)

Install and update

Dapper to Edgy

The first steps was to choose an OS for my slice. I went with Ubuntu. No particular reason for the choice. I almost went with Debian Etch, but didn't. Note: All the following commands need to be run as root, or as sudo

The install Ubuntu option gives you Dapper. Time to upgrade.

First you need to get the locale squared away, or you will have tons of errors during the upgrade.
```
$ apt-get install language-pack-en
```
That should fix that.
Next, edit the /etc/apt/sources.list file. Change all references of dapper to edgy.
Then run the following command.
```
$ apt-get update && apt-get dist-upgrade && apt-get dist-upgrade
```
You need to run dist-upgrade at least twice. Maybe even run it a third time. Sometimes things get missed.
```
$ apt-get dist-upgrade
$ apt-get -f install
$ dpkg --configure -a
```
Now you are done with stage 1 of the upgrade. Reboot.
```
$ reboot
```

Edgy to Feisty

The upgrade from Edgy to Feisty is pretty similar to what was done above.

Edit the /etc/apt/sources.list file. Change all references of edgy to fiesty.
Then run the following command.
```
$ apt-get update && apt-get dist-upgrade && apt-get dist-upgrade
```
You need to run dist-upgrade at least twice. Maybe even run it a third time. Sometimes things get missed.
```
$ apt-get dist-upgrade
$ apt-get -f install
$ dpkg --configure -a
```
Now you are done with stage 1 of the upgrade. Reboot.
```
$ reboot
```

Yay! Updated to feisty now.

Locking a few things down

tcp wrappers

Add the following to /etc/hosts.deny. I like to set tcpwrappers to block everything by default, then allow what I want.
```
ALL: ALL: DENY
```
Add the following to /etc/hosts.allow.
```
sshd: ALL
```

sshd

I like to modify the default /etc/ssh/sshd_config file a bit. I add/modify the following.

## I like to change the default port. Helps reduce brute force load and lots of log messages.
Port <somenumber>
## no direct root login over ssh
PermitRootLogin no 
## ssh only
Protocol 2 
## no X on this box anyway
X11Forwarding no 
## only allow specific users ssh access
AllowUsers <myusername> 
## speeds up login a bit. reverse lookups don't really add much security anyway.
UseDNS no

firewall - iptables

Configure iptables rules. This is outside the scope of this doc. Just make sure to allow access to the non-default ssh port that sshd is now listening on.

random stuff

I chaned /etc/default/rcS in the following manner.
```
EDITMOTD=no
```
/etc/init.d/rc
```
CONCURRENCY=shell
```
In /etc/hosts, I commented out all the ipv6 addresses. I am not currently serving up ipv6 to anyone right now...so turn it off! Also modify the /etc/modprobe.d/aliases accordingly.
```
alias net-pf-10 off
```

Google Apps Signup

I won't cover the actual Google Apps sign-up process. The Google Apps documentation covers that well enough. I will, however, cover the Slicehost side of the configuration.

DNS

In order to use Google Apps with my Slicehost slice, I had to add several DNS records. I am using Slicehost's provided DNS service, which seems to work very well.

These are the relevant records that I added...

domain.com.                     A        127.127.127.127
domain.com.                     NS       ns1.slicehost.net.
domain.com.                     NS       ns2.slicehost.net.
domain.com.                     NS       ns3.slicehost.net.
domain.com.                     MX       1 ASPMX.L.GOOGLE.COM.
domain.com.                     MX       5 ALT1.ASPMX.L.GOOGLE.COM.
domain.com.                     MX       5 ALT2.ASPMX.L.GOOGLE.COM.
domain.com.                     MX      10 ASPMX2.GOOGLEMAIL.COM.
domain.com.                     MX      10 ASPMX3.GOOGLEMAIL.COM.
domain.com.                     MX      10 ASPMX4.GOOGLEMAIL.COM.
domain.com.                     MX      10 ASPMX5.GOOGLEMAIL.COM.
domain.com.                     TXT     "v=spf1 include:aspmx.googlemail.com ~all"

_xmpp-server._tcp.domain.com.   SRV      5 0 5269 xmpp-server.l.google.com.
_xmpp-server._tcp.domain.com.   SRV     20 0 5269 xmpp-server1.l.google.com.
_xmpp-server._tcp.domain.com.   SRV     20 0 5269 xmpp-server2.l.google.com.
_xmpp-server._tcp.domain.com.   SRV     20 0 5269 xmpp-server3.l.google.com.
_xmpp-server._tcp.domain.com.   SRV     20 0 5269 xmpp-server4.l.google.com.

_jabber._tcp.domain.com.        SRV      5 0 5269 xmpp-server.l.google.com.
_jabber._tcp.domain.com.        SRV     20 0 5269 xmpp-server1.l.google.com.
_jabber._tcp.domain.com.        SRV     20 0 5269 xmpp-server2.l.google.com.
_jabber._tcp.domain.com.        SRV     20 0 5269 xmpp-server3.l.google.com.
_jabber._tcp.domain.com.        SRV     20 0 5269 xmpp-server4.l.google.com.

_xmpp-client._tcp.domain.com.   SRV     5 0 5222 talk.l.google.com.
_xmpp-client._tcp.domain.com.   SRV    20 0 5222 talk1.l.google.com.
_xmpp-client._tcp.domain.com.   SRV    20 0 5222 talk2.l.google.com.

Yes. Those domains really do all end in a dot. It is required. If the dot is not present at the end, then your domain will be auto suffixed.

Note: In the above, replace domain.com. with your domain. Also replace 127.127.127.127 with your server's ip address.

Jabber/xmpp

I use Gajim for xmpp messaging. To configure Gajim for gtalk...

Start up Gajim.
Create a new account.
Select 'I already have an account'.
For the Username field, enter your Google apps username (email user, not necessarily admin user).
For the Server field, enter your domain.
Enter your password in the password field.
Click next, then click advanced
Go to the connection tab.
Put a checkmark in Use SSL, Send keep-alive packets, and Use custom hostname/port.
For hostname, enter talk.google.com.
For Port, enter 5223.
Click Save

That should be it. You should now be able to add buddies and chat away.

SMTP

I needed to get mail sent off the box, but I didn't need a full MTA. I only need cron job emails, custom notifications, rss2email, and a few other random messages. No mail receiving, just sending.

I used postfix at first, because I know the configuration of postfix fairly well. Postfix is overkill for what I need though. It was sitting idle pretty much all the time, and using some memory that I could use elsewhere (I have a 256 slice).

Since I use Google Apps for my mail hosting, it made sense to leverage that for sending mail from this box too. The solution, was msmtp.

MSMTP

The configuration for msmtp is fairly simple. Just a /etc/msmtprc file.

Prerequisites

Depending on the distribution, you may need to install the following packages:

msmtp
msmtp-mta
ca-certificates

You need to create a 'send only' email account in Google Apps. That is the account used for configuring msmtp.

Configuration file

Here is the /etc/msmtprc file.

account default
host smtp.gmail.com
port 587
auth on
user yourSendOnlyMailAccount@YourDomain.com
password YourSendOnlyMailAccountPassword
auto_from off
from yourSendOnlyMailAccount@YourDomain.com
maildomain YourDomain.com
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile
syslog LOG_MAIL

Make sure the tls_trust_file path to the ca-certificates file is correct. Also set the user, password, and maildomain values are correct for your environment.