diff --git a/bootstrap/selfconfig-root b/bootstrap/selfconfig-root index 8f511728d..a9bde1fdd 100755 --- a/bootstrap/selfconfig-root +++ b/bootstrap/selfconfig-root @@ -68,13 +68,13 @@ my @required_debs = qw( libexpat1-dev libgetopt-long-descriptive-perl libpath-tiny-perl + libsasl2-modules libssl-dev nginx python3-certbot-nginx + ufw unzip zlib1g-dev - libsasl2-modules - ufw ); run_cmd(qw(apt-get -o DPkg::Lock::Timeout=60 install -y), @required_debs); diff --git a/doc/install-prod.md b/doc/install-prod.md index 32c44c118..12e4874dc 100644 --- a/doc/install-prod.md +++ b/doc/install-prod.md @@ -66,6 +66,17 @@ Install node exporter. apt -y install prometheus-node-exporter ``` +### General + +You probably want to enable some non-default collectors. In +`/etc/default/prometheus-node-exporter`: + +``` +ARGS="--collector.systemd" +``` + +### nginx + Consider [nginx-prometheus-exporter](https://github.com/nginxinc/nginx-prometheus-exporter). @@ -95,6 +106,8 @@ server { ## Additional Configuration +### Fail2ban + Default fail2ban bantime is very short. Make it longer: ``` @@ -102,6 +115,20 @@ fail2ban-client start sshd fail2ban-client set sshd bantime 86400 ``` +Make sure that fail2ban is reading logs. Run `fail2ban-client status +sshd`. If it's not failing any IPs, that's a sign it's not working. +The default backend of `auto` normally works, but may get confused if +`/var/log/auth.log` exists. If deleting `/var/log/auth.log` doesn't +work, or you want to force it to always read the journal... in +`/etc/fail2ban/jail.conf`: + +``` +[DEFAULT] +backend = systemd +``` + +### Package upgrades + Automatic security upgrades are a good idea, and probably outweigh the risks.