RFC and ICANN Compliance
- CoCCA supports all the RFC’s required by the Internet Corporation for Assigned Name and Numbers - the peak body for co-ordination of the Internet naming and numbering system (ICANN). Compliant with standards in Specifications 6 and 10 of the ICANN base agreement.
- List of supported RFCs
- Support for DNSSEC signing using OpenDNSSEC or Packet Clearing House PCH
- Anycast DNS using PCH Anycast. Additional Anycast using AfriNIC or LAC TLD also recommened - depending on region and TLD manager preference.
- Support for WHMCS, and desec.
- European GDPR Compliant.
Infrastructure
Changelog
Prerequisites - Updated September 2024
Basics:
- sudo apt update && sudo apt upgrade -y
- sudo apt install zip unzip
- sudo touch /etc/cloud/cloud-init.disabled
- sudo apt purge cloud-init -y
- sudo rm -Rf /etc/cloud
- sudo systemctl disable --now unattended-upgrades
- sudo apt remove unattended-upgrades
- sudo apt-get install gnupg
- sudo apt-get -y install yamllint
- sudo apt install bind9 bind9utils bind9-doc -y
- sudo apt install dnsutils
- sudo apt install ufw
- sudo apt install nano
- sudo apt install whois
- sudo apt-get install ttf-mscorefonts-installer
- sudo apt-get install fontconfig
- sudo fc-cache -f -v
- sudo apt install build-essential checkinstall zlib1g-dev -y
- sudo apt-get install libssl-dev
- sudo timedatectl set-timezone UTC
- sudo timedatectl set-ntp on
- sudo apt update && sudo apt upgrade -y
- sudo apt autoremove
Basic Security
Ubunutu firewall basic configuration, handy commands:
- sudo ufw enable | disable
- sudo ufw status numbered ( see rules )
- sudo ufw delete X ( delete a rule by number )
- sudo ufw reload ( after rule changes )
| sudo ufw allow from [trusted IP] to any port 22 ( if sshd is on non-standard port use that port ) sudo ufw allow from [trusted IP] to any port 53 sudo ufw allow from any to any port 80 sudo ufw allow from any to any port 443 sudo ufw allow from any to any port 700 |
Use fail2ban to protect against brute force/dictionary ssh attacks and mal-formed http requests. - tutorial
| sudo apt install fail2ban |
Basic sshd refinements. (we recommend using ssh keys tutorial)
sudo nano /etc/ssh/sshd_config
|
Protocol 2 Port XXX ( change port, config ufw to allow the selected port ) ListenAddress x.x.x.x ( if multiple IP, bind to one IP ) LogLevel VERBOSE AllowUsers user_1 user_2 ( list logins that are allowed to ssh ) LoginGraceTime 30 PermitRootLogin no MaxAuthTries 3 HostbasedAuthentication no IgnoreRhosts yes PermitEmptyPasswords no AllowTcpForwarding no X11Forwarding no ClientAliveInterval 300 ClientAliveCountMax 0 MaxStartups 2 |
PostgreSQL
Installation Instructions: https://www.postgresql.org/download/linux/ubuntu/
Create the file repository configuration:
| sudo apt install -y postgresql-common |
| sudo /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh |
Update the package lists:
| sudo apt-get update sudo apt-get -y install postgresql-17 |
File to edit when tuning PG:
| sudo nano /etc/postgresql/17/main/postgresql.conf |
Set password for user "postgres" and create empty db to import backup.
| sudo -u postgres psql postgres \password postgres ( enter desired password when prompted ) CREATE database registry; \q (to exit the posgreSQL command interface ) |
Edit pg_hba.conf to force password confirmation for postgres commands Look for --- "Database administrative login by Unix domain socket", replace "peer" with "md5"
| sudo nano /etc/postgresql/17/main/pg_hba.conf |
Restart PG for changes to take effect:
| sudo pg_ctlcluster 17 main restart |
Import CoCCA database from a pg binary backup:
| pg_restore -U postgres -Fc -d registry < CoCCA-Backup.dump |
Java
Install Java JDK 1.8
| sudo mkdir /usr/lib/jvm cd /usr/lib/jvm Direct from Adoptium https://adoptium.net sudo wget --inet4-only https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u442-b06/OpenJDK8U-jdk_x64_linux_hotspot_8u442b06.tar.gz --no-check-certificate Extract download sudo tar -xvzf OpenJDK8U-jdk_x64_linux_hotspot_8u442b06.tar.gz |
Append the following command to open the environment variables file.
|
sudo nano /etc/environment
JAVA_HOME="/usr/lib/jvm/jdk8u442-b06" |
Run from command line.
|
sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk8u442-b06/bin/java" 0 sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk8u442-b06/bin/javac" 0 sudo update-alternatives --set java /usr/lib/jvm/jdk8u442-b06/bin/java sudo update-alternatives --set javac /usr/lib/jvm/jdk8u442-b06/bin/javac |
Check Version
| java -version sudo update-alternatives --config java sudo update-alternatives --display java |
Resin
The http server used with CoCCA https://caucho.com
Before installing resin, install the JDK.
Recomended : Create a host name for your instance with an A record to match the server IP
|
cd /opt
sudo wget --inet4-only http://caucho.com/download/resin-4.0.67.tar.gz --no-check-certificate
tar -vzxf resin-4.0.67.tar.gz
cd resin-4.0.67
./configure --enable-64bit --prefix=/opt/resin/ --with-resin-root=/opt/resin --with-resin-log=/opt/resin/log --with-resin-conf=/opt/resin/conf sudo make && sudo make install |
Post Install Configuration: Download the CoCCA lab jks from CoCCA ( needed for EPP and https ).
| cd /opt/resin/conf/keys/ sudo wget --inet4-only https://updates.coccaregistry.org/jks/epp_coccaregistry_org.jks --no-check-certificate |
Download the latest CoCCA ROOT.war file
| cd /opt/resin/webapps/ sudo wget --inet4-only https://updates.coccaregistry.org/ROOT.war --no-check-certificate |
Get postgreSQL jdbc driver
| cd /opt/resin/lib/ wget --inet4-only https://jdbc.postgresql.org/download/postgresql-42.7.5.jar --no-check-certificate |
Rename default resin.xml and download resin config file for CoCCA:
| cd /opt/resin/conf mv resin.xml resin.backup |
Edit default resin config file:
- replace default IPs with your server IPs ( line 28 and 42 )
- replace default host registry.example.tld with your host name (line 75 and 83 ). Note: If you have not created an A record yet, you may put the server IP in place of the host name.
- insert postgreql password you created in postgesql section above ( line 92 )
| sudo nano /opt/resin/conf/resin.xml |
Start ( or restart ) resin and login to portal. If restart does not work, try stop then start.
| /etc/init.d/resin stop | start | restart |
Go to your host name URL- https://registry.example.tld ( or https://ipaddress - will take ±15-20 seconds to load )
letsencrypt
Optional The CoCCA lab jks downloaded above will enable https connections but with a browser warning. If you want a free https certificate to match your host name, we suggest https://letsencrypt.org
| sudo apt install certbot |
Stop resin webserver to release port 80 and 443 temporarily.
| /etc/init.d/resin stop |
Request a new certificate
| sudo certbot certonly --standalone |
Create p12 (one long srting/command)
openssl pkcs12 -export -name sslcertificate -in /etc/letsencrypt/live/registry.example.tld/fullchain.pem -inkey /etc/letsencrypt/live/registry.example.tld/privkey.pem -out registry.example.tld.p12 |
Create Java keystore and import p12 (one long string/command):
/usr/lib/jvm/jdk8u442-b06/bin/keytool -importkeystore -destkeystore registry.example.tld.jks -srckeystore registry.example.tld.p12 -srcstoretype pkcs12 -alias sslcertificate |
Move newly created jks to the resin keys folder
| mv registry.example.tld.jks /opt/resin/conf/keys/registry.example.tld.jks |
Edit resin config file to enable new http certificate:
| sudo nano /opt/resin/conf/resin.xml |
Add the path, jks file name and password for the custom jks created above (lines 45 & 46)
Start ( or restart ) resin and login to portal. If restart does not work, try stop then start.
| /etc/init.d/resin stop | start | restart |
NGINX proxy
To improve security install nginx as a reverse proxy.
| sudo apt update sudo apt install nginx systemctl status nginx sudo nano /etc/nginx/sites-available/registry.nic.tld |
When creating or edting the config files, replace "registry.nic.tld" with whatever host name is appropriate for your registry. Paste and then edit the content below.
| # HTTP redirect server { listen 80; # listen [::]:80; server_name registry.nic.tld; location / { return 301 https://registry.nic.tld$request_uri; } } # HTTPS server { listen 443 ssl; #listen [::]:443 ssl; keepalive_timeout 70; ssl_certificate /etc/letsencrypt/live/registry.nic.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/registry.nic.tld/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; server_name registry.nic.tld; location / { proxy_pass https://127.0.0.1:8443; include proxy_params; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; add_header Permissions-Policy "interest-cohort=()" always; # . files location ~ /\.(?!well-known) { deny all; } } } |
Save and exit, with nano you can do this by hitting CTRL+O then CTRL+X.
Next, enable this configuration file by creating a link from it to the sites-enabled directory that Nginx reads at startup:
| sudo ln -s /etc/nginx/sites-available/registry.nic.tld /etc/nginx/sites-enabled/ |
NGINX uses the default linked configuration file. Creating a reverse proxy requires creating and linking a custom file. To avoid any potential conflicts, use the following command:
| sudo unlink /etc/nginx/sites-enabled/default |
sudo nginx -t
To configure NGINX to launch on reboot automatically, enable the service with:
| sudo systemctl enable nginx |
Create a non-root user
| sudo useradd -m -d /opt/nginxuser -U -s /bin/false nginxuser |
Grant nginxuser Necessary Permissions
| sudo chown -R nginxuser:nginxuser /var/log/nginx sudo chown -R nginxuser:nginxuser /var/lib/nginx |
Now, Open the Nginx configuration file in a text editor.
| sudo nano /etc/nginx/nginx.conf |
Within the configuration file, locate the user directive (top of the conf file), and set it to the non-root user you created.
|
Save and exit, with nano you can do this by hitting CTRL+O then CTRL+X.
Test the Configuration
| sudo nginx -t |
Edit resin.xml config file /opt/resin/conf/resin.xml
Change listen IPs to 127.0.0.1 and ::1 ( if you use Ipv6 )
Change ports from 80 and 443 to 8080 and 8443
| sudo nano /opt/resin/conf/resin.xml |
| /etc/init.d/resin stop | start |
| sudo systemctl stop | start nginx |
Check the process using the following command to ensure that Nginx is running with the non-root user.
| ps aux | grep nginx |