System build ------------ All systems should run on Debian 7 or newer, however officially Debian 7 is supported and tested. ### Manual build * Consider using [RBENV](https://github.com/sstephenson/rbenv) * Compile requried [ruby version](https://github.com/internetee/registry/blob/master/.ruby-version) * [Phusion passenger](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html) * [Postgresql](http://www.postgresql.org/docs/) Registry application is not tested with multi-threaded system (such as Puma) and it's not officially supported. Please use multi-process system instead (Passenger, Unicorn, Mongrel) Use Phusion Passenger [official debian packages](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#install_on_debian_ubuntu) NB! Passenger runtime does not depend on ruby version, thus you can use multiple different ruby version apps with same passenger install. We also recommend to investigate [Passenger Optimization Guide](https://www.phusionpassenger.com/documentation/ServerOptimizationGuide.html) for proper configuration. ### For building gem libs Please install following lib, otherwise your bundler install might not be successful. sudo apt-get install libxml2-dev ### RBENV install cd /home/registry git clone https://github.com/sstephenson/rbenv.git /home/registry/.rbenv git clone https://github.com/sstephenson/ruby-build.git /home/registry/.rbenv/plugins/ruby-build ### RBENV upgrade cd .rbenv git pull origin master cd plugins/ruby-build git pull origin master ### Firewall rate limit config First increase the maximum possible value form 20 to 100 of the hitcount parameter. ip_pkt_list_tot of the xt_recent kernel module. This can be done by creating an ip_pkt_list_tot.conf file in /etc/modeprobe.d/ which contains: ```` options xt_recent ip_pkt_list_tot=100 ```` Once the file is created, reload the xt_recent kernel module via modprobe -r xt_recent && modprobe xt_recent or reboot the system. #### Registrar, REPP, Restful-whois ```` #!/bin/bash # Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ IPT=/sbin/iptables # Max connection in seconds SECONDS=60 # Max connections per IP BLOCKCOUNT=100 # default action can be DROP or REJECT or something else. DACTION="REJECT" $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} ```` #### Whois ```` #!/bin/bash # Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ IPT=/sbin/iptables # Max connection in seconds SECONDS=60 # Max connections per IP BLOCKCOUNT=100 # default action can be DROP or REJECT or something else. DACTION="REJECT" $IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --set $IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} ```` #### EPP Iptables hitcounter is updated by application. ```` #!/bin/bash # Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ IPT=/sbin/iptables # Registrar handler REGISTRAR_CODE="test" # Max connection in seconds SECONDS=60 # Max connections per IP BLOCKCOUNT=100 # Source specification. Address can be either a network name, a hostname, a network IP address # (with /mask), or a plain IP address. Hostnames will be resolved once only, before the rule # is submitted to the kernel. Please note that specifying any name to be resolved with # a remote query such as DNS is a really bad idea. The mask can be either a network mask or # a plain number, specifying the number of 1's at the left side of the network mask. # Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before # the address specification inverts the sense of the address. # The flag --src is an alias for this option. Multiple addresses can be specified, # but this will expand to multiple rules (when adding with -A), # or will cause multiple rules to be deleted (with -D). REGISTRAR_HANDLE_SOURCE="x.x.x.x" # default action can be DROP or REJECT or something else. DACTION="REJECT" $IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --set $IPT -A INPUT -p tcp --dport 700 -s $REGISTRAR_HANDLE_SOURCE -m recent --name $REGISTRAR_CODE --rdest --rcheck --hitcount ${BLOCKCOUNT} --seconds ${SECONDS} -j ${DACTION} ```` After adding iptable counters, please add correct permissions to proc files at path /proc/net/xt_recent Example command: ```` sudo chown registry /proc/net/xt_recent/* ````