Virtual server

This document provides general information about our virtual servers.

Managing firewall rules

Each virtual server comes with preinstalled and configured Shorewall firewall. The server is configured with both IPv4 and IPv6 address so when you modify the rules you need to do it for both. Shorewall configuration can be found in /etc/shorewall for IPv4 and /etc/shorewall6 for IPv6. You normally need to edit only the rules file. The default configuration blocks access to all ports and only ports individually opened in the rules file are accessible.

By default we’ve opened public access to following ports:

  • 22 – SSH
  • 80 – HTTP
  • 443 – HTTPS

We’ve also opened few monitoring related ports to our monitoring server but these are not accessible by any other host.

  • 1 – ICMP (Ping)
  • 161, 162 – SNMP
  • 5666 – NAGIOS NRPE (nagios agent)
  • 3306 – MySQL

Normally you shouldn’t need to open any additional ports for better security but if you do then edit the /etc/shorewall/rules for opening a port for your IPv4 address and /etc/shorewall6/rules files and then run following commands to reload the new rules. Be very careful as incorrect rules may completely prevent access to your server. If you are uncertain what you are doing then please contact support as we provide server maintenance at hourly rate and can do the changes for you.

shorewall restart
shorewall6 restart

Configuring backup

For backup we use a simple yet effective backup system called Tartarus. Backup is pre configured to backup the whole system excluding some temporary files. You can find the backup configuration from /etc/tartarus under which you’ll find following files and folders.

/backup.d
backup.sec
config
postprocess.inc

backup.sec

This is the secret key used to encrypt your backup. Copy this in a safe place because without it your backup is useless as it can’t be decrypted.

config

This contains the shared settings with all backups. The main things are your backup storage server hostname, username and password. We encrypt the backup both symmetrically and asymmetrically so that you can access it with your backup key located in /etc/tartarus/backup.sec and we can use our private key to restore the backup if a total disaster happens.

# Generic settings for the backup

STORAGE_FTP_USE_SSL="yes"
STORAGE_FTP_SSL_INSECURE="yes"
STORAGE_METHOD="FTP"
STORAGE_FTP_SERVER="<YOURBACKUPSERVER>"
STORAGE_FTP_USER="<YOURUSERNAME>"
STORAGE_FTP_PASSWORD="<YOURPASSWORD>"
STORAGE_FTP_DIR="/"

DAYS_TO_KEEP=7
ENCRYPT_SYMMETRICALLY="yes"
ENCRYPT_PASSPHRASE_FILE="/etc/tartarus/backup.sec"
ENCRYPT_ASYMMETRICALLY="yes"
ENCRYPT_KEY_ID="3ABCC9DB"

COMPRESSION_METHOD="bzip2"
STAY_IN_FILESYSTEM="yes"
CREATE_LVM_SNAPSHOT="no"
CHECK_FOR_UPDATE="no"

INCREMENTAL_TIMESTAMP_DIR="/var/spool/tartarus/timestamps"

backup.d

This directory contains your backup configurations that are ran by the nightly backup script. Here’s the root.conf that is created by default.

# Root filesystem backup
#
source /etc/tartarus/config

NAME="root"
DIRECTORY="/"
EXCLUDE="/tmp/ /dev/ /proc/ /sys/ /run/ /var/tmp/ /var/run/ /var/lib/mysql/ /var/spool/postfix/private/ /var/spool/postfix/public/ /srv/ /var/spool/postfix/dev /var/agentx"
INCREMENTAL_TIMESTAMP_FILE="${INCREMENTAL_TIMESTAMP_DIR}/${NAME}"

source /etc/tartarus/postprocess.inc