Differences

This shows you the differences between two versions of the page.

--- ubuntu_server_setup [2016/06/20 12:28]
mstraub [Ubuntu Server Setup]
+++ ubuntu_server_setup [2021/08/26 16:32]
mstraub [Java]
@@ Line 1: / Line 1: @@
+====== Ubuntu Server Setup ======
+This document should outline a few steps that are useful after a fresh install of an Ubuntu Server - last updated for 20.04.
+===== Install Useful Tools =====
+<code bash>
+sudo apt install mlocate htop ncdu ranger tldr tree vim
+</code>
+===== More Software =====
+==== Samba / CIFS ====
+If you need to mount Windows network drives:
+<code bash>
+sudo apt install cifs-utils
+</code>
+==== Java ====
+If you are fine with the OpenJDK version that comes with your Ubuntu:
+<code bash>
+sudo apt install openjdk-11-jdk-headless
+</code>
+A good alternative if you want other versions is https://adoptopenjdk.net - they provide ppas for free.
+===== Lighttpd =====
+Their documentation is a little messy, here are the relevant pages:
+  * http://redmine.lighttpd.net/projects/lighttpd/wiki/TutorialConfiguration
+  * http://redmine.lighttpd.net/projects/1/wiki/HowToSimpleSSL
+  * http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
+===== OpenSSH =====
+Disable root login in ''/etc/ssh/sshd_config'':
+<code>
+PermitRootLogin no
+</code>
+A good baseline is to only allow logins via public key authentication (disable password authentication), except for a fallback user with a very long and complex password. See these lines in ''/etc/ssh/sshd_config'':
+<code>
+PasswordAuthentication no
+# <snip>
+# Match-block at end of file for exceptions:
+Match User fallbackuser
+  PasswordAuthentication yes
+</code>
+Ubuntu tutorials:
+[[https://help.ubuntu.com/community/SSH/OpenSSH/Keys]] \\
+[[https://help.ubuntu.com/community/SSH/OpenSSH/Configuring]]
+Further harden OpenSSH according to the [[https://stribika.github.io/2015/01/04/secure-secure-shell.html|secure secure shell guide]]
+===== Enable Automatic Security Updates =====
+Install unattended-upgrades:
+<code bash>
+sudo apt install unattended-upgrades
+</code>
+Or reconfigure it if it's already installed:
+<code bash>
+sudo dpkg-reconfigure -plow unattended-upgrades
+</code>
+This creates the file ''/etc/apt/apt.conf.d/20auto-upgrades''.
+To avoid filling up small hard drives over time (e.g. with multiple kernel versions) it may be useful to activate the equivalent of ''sudo apt autoremove'':
+Set ''Unattended-Upgrade::Remove-Unused-Dependencies'' to ''true'' in ''/etc/apt/apt.conf.d/50unattended-upgrades''.
+See also:
+  * ''/etc/apt/apt.conf.d/20auto-upgrades'' (and ''man apt.conf'')
+  * [[https://help.ubuntu.com/community/AutomaticSecurityUpdates]]\\
+  * [[https://ubuntu.com/server/docs/package-management]]
+===== Decrease Swappiness =====
+Add a line to ''/etc/sysctl.conf'' and override the default swappiness of 60 with a much lower value, e.g.
+<code>
+vm.swappiness=10
+</code>
+[[http://wiki.ubuntuusers.de/Swap]]
+===== Root Kit & Intrusion Detection =====
+Have a look at at e.g. [[http://wiki.ubuntuusers.de/chkrootkit|chkrootkit]] and tiger [[http://www.nongnu.org/tiger/|tiger]]
+===== Greeting =====
+If you fancy a nice greeting message:
+<file bash /etc/update-motd.d/99-greeting>
+#!/bin/bash
+# http://patorjk.com/software/taag/#p=display&h=1&f=Calvin%20S&t=my-server-name
+# http://patorjk.com/software/taag/#p=display&h=1&v=0&f=ANSI%20Regular&t=my-server-name
+echo "┌┬┐┬ ┬   ┌─┐┌─┐┬─┐┬  ┬┌─┐┬─┐   ┌┐┌┌─┐┌┬┐┌─┐"
+echo "│││└┬┘───└─┐├┤ ├┬┘└┐┌┘├┤ ├┬┘───│││├─┤│││├┤ "
+echo "┴ ┴ ┴    └─┘└─┘┴└─ └┘ └─┘┴└─   ┘└┘┴ ┴┴ ┴└─┘"
+# or alternatively
+# figlet my-server-name
+</file>
+Don't forget to make the file executable.
+When using ''byobu'' delete ''~/.hushlogin'' to still see the greeting (and all other info you usually get when logging in).
+===== More Resources =====
+[[https://www.ubuntupit.com/best-linux-hardening-security-tips-a-comprehensive-checklist/]]

Small heaps of code

User Tools

Site Tools

Differences

Page Tools