Changes

# packages not applicable to a VPS setting, or which we don't use at HostGIS # e.g. phpMyAdmin and phpPgAdmin are security holes

mdadm-* floppy-* lvm2-* phpMyAdmin-* phppgAdmin-* raidtools-* reiserfsprogs-* \

# the startup sequence and services, even the firewall

rc.scanluns rc.serial rc.udev rc.sysvinit rc.firewall

# clear out old/dummy SSL certificates mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl # fix file permissionsfind / -mount -nouser -exec chown root {} \; &find / -mount -nogroup -exec chgrp root {} \; &for i in \ /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \ /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \ /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \ /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write do chmod u-s $i ; done # fix Apache's configuration:# add ServerTokens prod# go to the htdocs Directory definition and change Indexes to -Indexes# delete the entries for phpmyadmin and phppgadminvi /etc/apache/httpd.conf # keep FTP users chrooted:echo "" >> /etc/proftpd.confecho "# keep all users chrooted to their homedir" >> /etc/proftpd.confecho "DefaultRoot ~" >> /etc/proftpd.conf

# allow the mailq to be checked by anybody:fix file permissions find / -mount -nouser -exec chown root {} \; & find / -mount -nogroup -exec chgrp smmsp root {} \; & for i in \ /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \ /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /varusr/spoolbin/mqueuetraceroute \chmod g+rx /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \ /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /varusr/spoolbin/mqueuewrite do chmod u-s $i ; done

</code>

A VPS cannot actually reboot, since there's no power switch to power-cycle the machineafter the VE has been shut down. OpenVZ emulates this effect rebooting with an external cronjobcalled vpsreboot (see /etc/cron.d/vz). In order to reboot a VPS that has been shut downand which is expecting a reboot, the shutdown sequence must create a dummy file named called /rebootin within the VPS's filesystem. Also, and emulates the /etc/mtab file should point by pointing it to /proc/mounts so it can detect So, some small changes are necessary to the / filesystemrc scripts.

# stop all services apachectl stop killall syslogd klogd udevd crond /etc/rc.d/rc.sendmail stop /etc/rc.d/rc.inetd stop /etc/webmin/stop /etc/rc.d/rc.pgsql stop /etc/rc.d/rc.mysqld stop killall named proftpdkillall xinetd

# blow away the network configuration with dummy strings for later replacement # replace the IP address with __IPADDRESS_ # replace the netmask with __NETMASK__ # replace the GATEWAY with __GATEWAY__ vi /etc/rc.d/rc.inet1.conf

# disable the root and user accounts # by changing the password for root and user to a ! character. vi /etc/shadow

# refresh the 'locate' cache /etc/cron.daily/slocate

# blank out the system logfiles for logfile in \ /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \ /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \ /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \ /var/log/apache/access_log /var/log/apache/error_log \ /var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid do cp /dev/null $logfile ; done rmdir /var/log/sa

# clear the SSH host key rm -f /etc/ssh/ssh_host_*

# database server logfiles rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile

# delete vi backup files, bash_history files, and other small application crud unset HISTFILE find / -name '*~' \ -o -name .bash_history \ -o -name .gnupg \ -o -name .lesshst \ -o -name .viminfo \ -o -name .rnd \ -delete

# the junk anything under /tmp rm -rf /tmp/*