Java Developer

Preparing a Linux development server

Regardless if you are working on a team or as a single developer, it is beneficial that you set-up your own development server. You can use this for code repository, project management tool, or application server. For single developer, or for those working remotely with a team, renting a dedicated server or VPS is a good choice. Because you can access your server in any location.
For operating system, I recommend Debian 7 because it is clean, stable, and easy to use. Ubuntu is also a good choice because they are updated frequently and contains the latest software packages.

Clean Up

After installing your operating system, you will want to clean up a bit some pre-installed applications

$ apt-get -q -y remove --purge portmap
$ apt-get -q -y remove --purge apache2*
$ apt-get -q -y remove --purge bind9
$ apt-get -q -y remove --purge samba*
$ apt-get -q -y remove --purge nscd
$ invoke-rc.d sendmail stop
$ apt-get -q -y remove --purge sendmail*

Password-less login

Next is we prepare our for password-less login. This is important for both security and ease of use. Because you can connect to your server through SSH keys and not by typing in password.
Create a user in your server that you will log in to. It's not a good idea to login as root to your server remotely.
$ adduser javaguy
And fill up accordingly.

If your desktop user has no SSH key yet, do the following on your desktop:

$ ssh-keygen

And upload your keys to the server

$ ssh-copy-id javaguy@server-ip-address

After that, you can test to login to the server without supplying any password

$ ssh javaguy@server-ip-address

Change your SSH port

For security by obscurity, you will want to change the SSH port of your server to a very high value. E.g. 66155 or any very high number less than 65535. This is how you do it.

$ sed -i "/Port/cPort 66155" /etc/ssh/sshd_config

Then disable root login and password based login:

$ sed -i "/PermitRootLogin/cPermitRootLogin no" /etc/ssh/sshd_config
$ sed -i "/PasswordAuthentication/cPasswordAuthentication no" /etc/ssh/sshd_config

Restart ssh server to take effect:

$ server ssh restart

You can test connection by:

$ ssh javaguy@server-ip-address -p 66155

You may want to edit your desktop ssh config file, to define the new port to connect to in the server. Edit $HOME/.ssh/config and add the following:

Host server-ip-address-or-domain-name
    Port 66155

And then try to connect without supplying the port.

$ ssh javaguy@server-ip-address

Firewall

Create the files to contain the rules. Create a file /etc/iptables.rules with this contents:

*filter
#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#  Allows all outbound traffic
-A OUTPUT -j ACCEPT
#  Allows SSH connections to our new ssh port
-A INPUT -p tcp --dport 66155 -j ACCEPT
# Open Other TCP Ports (like 80 if you will install a webserver).  add more lines like this and change 80 to the port number that you like
-A INPUT -p tcp --dport 80 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

Apply it:

$ iptables -F
$ /sbin/iptables-restore < /etc/iptables.rules

Setup to automatically apply the firewall rules on start up of the server. Create /etc/network/if-pre-up.d/iptables with this contents:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.rules

And then make it executable:

$ chmod +x /etc/network/if-pre-up.d/iptables

Tags: debian, development server, firewall, iptables, linux, passwordless login, security, ssh, sshd, ubuntu, vps