ubuntu_server_setup
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
ubuntu_server_setup [2016/06/20 12:28] mstraub [Ubuntu Server Setup] |
ubuntu_server_setup [2021/10/18 16:19] mstraub [Java] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Ubuntu Server Setup ====== | ||
| + | This document should outline a few steps that are useful after a fresh install of an Ubuntu Server - last updated for 20.04. | ||
| + | |||
| + | ===== Install Useful Tools ===== | ||
| + | |||
| + | <code bash> | ||
| + | sudo apt install mlocate htop ncdu ranger tldr tree vim | ||
| + | </code> | ||
| + | |||
| + | ===== More Software ===== | ||
| + | |||
| + | ==== Samba / CIFS ==== | ||
| + | |||
| + | If you need to mount Windows network drives: | ||
| + | |||
| + | <code bash> | ||
| + | sudo apt install cifs-utils | ||
| + | </code> | ||
| + | |||
| + | ==== Java ==== | ||
| + | |||
| + | Ubuntu provides multiple versions of OpenJDK, e.g.: | ||
| + | |||
| + | <code bash> | ||
| + | sudo apt install openjdk-17-jdk-headless | ||
| + | </code> | ||
| + | |||
| + | If you need other versions check https://adoptium.net (previously named adoptopenjdk). Unfortunately as of 2021-10 they don't provide ppas but only .tar.gz files. But this may change soon. | ||
| + | ===== Lighttpd ===== | ||
| + | |||
| + | Their documentation is a little messy, here are the relevant pages: | ||
| + | * http://redmine.lighttpd.net/projects/lighttpd/wiki/TutorialConfiguration | ||
| + | * http://redmine.lighttpd.net/projects/1/wiki/HowToSimpleSSL | ||
| + | * http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL | ||
| + | |||
| + | ===== OpenSSH ===== | ||
| + | |||
| + | Disable root login in ''/etc/ssh/sshd_config'': | ||
| + | |||
| + | <code> | ||
| + | PermitRootLogin no | ||
| + | </code> | ||
| + | |||
| + | A good baseline is to only allow logins via public key authentication (disable password authentication), except for a fallback user with a very long and complex password. See these lines in ''/etc/ssh/sshd_config'': | ||
| + | <code> | ||
| + | PasswordAuthentication no | ||
| + | |||
| + | # <snip> | ||
| + | # Match-block at end of file for exceptions: | ||
| + | |||
| + | Match User fallbackuser | ||
| + | PasswordAuthentication yes | ||
| + | </code> | ||
| + | |||
| + | Ubuntu tutorials: | ||
| + | [[https://help.ubuntu.com/community/SSH/OpenSSH/Keys]] \\ | ||
| + | [[https://help.ubuntu.com/community/SSH/OpenSSH/Configuring]] | ||
| + | |||
| + | Further harden OpenSSH according to the [[https://stribika.github.io/2015/01/04/secure-secure-shell.html|secure secure shell guide]] | ||
| + | |||
| + | |||
| + | ===== Enable Automatic Security Updates ===== | ||
| + | |||
| + | Install unattended-upgrades: | ||
| + | |||
| + | <code bash> | ||
| + | sudo apt install unattended-upgrades | ||
| + | </code> | ||
| + | |||
| + | Or reconfigure it if it's already installed: | ||
| + | <code bash> | ||
| + | sudo dpkg-reconfigure -plow unattended-upgrades | ||
| + | </code> | ||
| + | This creates the file ''/etc/apt/apt.conf.d/20auto-upgrades''. | ||
| + | |||
| + | To avoid filling up small hard drives over time (e.g. with multiple kernel versions) it may be useful to activate the equivalent of ''sudo apt autoremove'': | ||
| + | |||
| + | Set ''Unattended-Upgrade::Remove-Unused-Dependencies'' to ''true'' in ''/etc/apt/apt.conf.d/50unattended-upgrades''. | ||
| + | |||
| + | See also: | ||
| + | * ''/etc/apt/apt.conf.d/20auto-upgrades'' (and ''man apt.conf'') | ||
| + | * [[https://help.ubuntu.com/community/AutomaticSecurityUpdates]]\\ | ||
| + | * [[https://ubuntu.com/server/docs/package-management]] | ||
| + | |||
| + | |||
| + | ===== Decrease Swappiness ===== | ||
| + | |||
| + | Add a line to ''/etc/sysctl.conf'' and override the default swappiness of 60 with a much lower value, e.g. | ||
| + | <code> | ||
| + | vm.swappiness=10 | ||
| + | </code> | ||
| + | |||
| + | [[http://wiki.ubuntuusers.de/Swap]] | ||
| + | |||
| + | ===== Root Kit & Intrusion Detection ===== | ||
| + | |||
| + | Have a look at at e.g. [[http://wiki.ubuntuusers.de/chkrootkit|chkrootkit]] and tiger [[http://www.nongnu.org/tiger/|tiger]] | ||
| + | |||
| + | ===== Greeting ===== | ||
| + | |||
| + | If you fancy a nice greeting message: | ||
| + | |||
| + | <file bash /etc/update-motd.d/99-greeting> | ||
| + | #!/bin/bash | ||
| + | |||
| + | # http://patorjk.com/software/taag/#p=display&h=1&f=Calvin%20S&t=my-server-name | ||
| + | # http://patorjk.com/software/taag/#p=display&h=1&v=0&f=ANSI%20Regular&t=my-server-name | ||
| + | echo "┌┬┐┬ ┬ ┌─┐┌─┐┬─┐┬ ┬┌─┐┬─┐ ┌┐┌┌─┐┌┬┐┌─┐" | ||
| + | echo "│││└┬┘───└─┐├┤ ├┬┘└┐┌┘├┤ ├┬┘───│││├─┤│││├┤ " | ||
| + | echo "┴ ┴ ┴ └─┘└─┘┴└─ └┘ └─┘┴└─ ┘└┘┴ ┴┴ ┴└─┘" | ||
| + | |||
| + | # or alternatively | ||
| + | # figlet my-server-name | ||
| + | </file> | ||
| + | |||
| + | Don't forget to make the file executable. | ||
| + | |||
| + | When using ''byobu'' delete ''~/.hushlogin'' to still see the greeting (and all other info you usually get when logging in). | ||
| + | ===== More Resources ===== | ||
| + | |||
| + | [[https://www.ubuntupit.com/best-linux-hardening-security-tips-a-comprehensive-checklist/]] | ||
ubuntu_server_setup.txt · Last modified: 2021/10/18 16:19 by mstraub
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
