This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
ubuntu_server_setup [2018/07/19 13:01] mstraub [Root Kit & Intrusion Detection] |
ubuntu_server_setup [2021/10/18 16:19] mstraub [Java] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Ubuntu Server Setup ====== | ====== Ubuntu Server Setup ====== | ||
- | This document should outline a few steps that are useful after a fresh install of an Ubuntu Server. | + | This document should outline a few steps that are useful after a fresh install of an Ubuntu Server - last updated for 20.04. |
- | ===== Basic Packages ===== | + | ===== Install Useful Tools ===== |
- | If you are dealing with a minimal installation (meta-package ubuntu-minimal) you may want to beef it up a bit. Check what packages are typically bundled e.g. when installing Ubuntu Server or just select your server style: | + | <code bash> |
- | <code> | + | sudo apt install mlocate htop ncdu ranger tldr tree vim |
- | tasksel # ncurses GUI | + | |
- | tasksel --list-tasks | + | |
- | tasksel --task-packages server | + | |
</code> | </code> | ||
- | Some additional packages for easier CLI handling: | + | ===== More Software ===== |
- | <code> | + | |
- | sudo apt-get install bash-completion ubuntu-release-upgrader-core software-properties-common | + | ==== Samba / CIFS ==== |
- | </code> | + | |
- | ===== Oracle Java ===== | + | If you need to mount Windows network drives: |
- | If you need Oracle Java install it from this 3rd party repo (which is updated regularly): | ||
<code bash> | <code bash> | ||
- | sudo add-apt-repository ppa:webupd8team/java | + | sudo apt install cifs-utils |
- | sudo apt-get update | + | |
- | sudo apt-get install oracle-java8-installer | + | |
</code> | </code> | ||
- | [[http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html|original source]], [[https://wiki.ubuntuusers.de/Java/Installation/Oracle_Java/Java_8|more info @ ubuntuusers.de]] | + | ==== Java ==== |
+ | Ubuntu provides multiple versions of OpenJDK, e.g.: | ||
+ | <code bash> | ||
+ | sudo apt install openjdk-17-jdk-headless | ||
+ | </code> | ||
+ | |||
+ | If you need other versions check https://adoptium.net (previously named adoptopenjdk). Unfortunately as of 2021-10 they don't provide ppas but only .tar.gz files. But this may change soon. | ||
===== Lighttpd ===== | ===== Lighttpd ===== | ||
Line 36: | Line 36: | ||
===== OpenSSH ===== | ===== OpenSSH ===== | ||
+ | |||
+ | Disable root login in ''/etc/ssh/sshd_config'': | ||
+ | |||
+ | <code> | ||
+ | PermitRootLogin no | ||
+ | </code> | ||
A good baseline is to only allow logins via public key authentication (disable password authentication), except for a fallback user with a very long and complex password. See these lines in ''/etc/ssh/sshd_config'': | A good baseline is to only allow logins via public key authentication (disable password authentication), except for a fallback user with a very long and complex password. See these lines in ''/etc/ssh/sshd_config'': | ||
Line 57: | Line 63: | ||
===== Enable Automatic Security Updates ===== | ===== Enable Automatic Security Updates ===== | ||
- | Quickly enable unattended upgrades: | + | Install unattended-upgrades: |
+ | |||
+ | <code bash> | ||
+ | sudo apt install unattended-upgrades | ||
+ | </code> | ||
+ | |||
+ | Or reconfigure it if it's already installed: | ||
<code bash> | <code bash> | ||
sudo dpkg-reconfigure -plow unattended-upgrades | sudo dpkg-reconfigure -plow unattended-upgrades | ||
</code> | </code> | ||
+ | This creates the file ''/etc/apt/apt.conf.d/20auto-upgrades''. | ||
- | Then set ''Unattended-Upgrade::Remove-Unused-Dependencies'' to ''true'' in ''/etc/apt/apt.conf.d/50unattended-upgrades''. | + | To avoid filling up small hard drives over time (e.g. with multiple kernel versions) it may be useful to activate the equivalent of ''sudo apt autoremove'': |
+ | |||
+ | Set ''Unattended-Upgrade::Remove-Unused-Dependencies'' to ''true'' in ''/etc/apt/apt.conf.d/50unattended-upgrades''. | ||
See also: | See also: | ||
* ''/etc/apt/apt.conf.d/20auto-upgrades'' (and ''man apt.conf'') | * ''/etc/apt/apt.conf.d/20auto-upgrades'' (and ''man apt.conf'') | ||
* [[https://help.ubuntu.com/community/AutomaticSecurityUpdates]]\\ | * [[https://help.ubuntu.com/community/AutomaticSecurityUpdates]]\\ | ||
- | * [[https://help.ubuntu.com/16.04/serverguide/automatic-updates.html]] | + | * [[https://ubuntu.com/server/docs/package-management]] |
- | + | ||
- | ==== Ubuntu <= 14.04 ==== | + | |
- | Unattended-Upgrade::Remove-Unused-Dependencies seems to be broken in Ubuntu 14.04. This entry in ''/etc/crontab'' should do the trick by daily executing autoremove: | + | |
- | + | ||
- | <code> | + | |
- | 0 0 * * * root apt-get autoremove -y >> /var/log/autoremovecronjob.log 2>&1 | + | |
- | </code> | + | |
Line 99: | Line 106: | ||
# http://patorjk.com/software/taag/#p=display&h=1&f=Calvin%20S&t=my-server-name | # http://patorjk.com/software/taag/#p=display&h=1&f=Calvin%20S&t=my-server-name | ||
+ | # http://patorjk.com/software/taag/#p=display&h=1&v=0&f=ANSI%20Regular&t=my-server-name | ||
echo "┌┬┐┬ ┬ ┌─┐┌─┐┬─┐┬ ┬┌─┐┬─┐ ┌┐┌┌─┐┌┬┐┌─┐" | echo "┌┬┐┬ ┬ ┌─┐┌─┐┬─┐┬ ┬┌─┐┬─┐ ┌┐┌┌─┐┌┬┐┌─┐" | ||
echo "│││└┬┘───└─┐├┤ ├┬┘└┐┌┘├┤ ├┬┘───│││├─┤│││├┤ " | echo "│││└┬┘───└─┐├┤ ├┬┘└┐┌┘├┤ ├┬┘───│││├─┤│││├┤ " | ||
Line 106: | Line 114: | ||
# figlet my-server-name | # figlet my-server-name | ||
</file> | </file> | ||
+ | |||
+ | Don't forget to make the file executable. | ||
+ | |||
+ | When using ''byobu'' delete ''~/.hushlogin'' to still see the greeting (and all other info you usually get when logging in). | ||
===== More Resources ===== | ===== More Resources ===== | ||
- | [[http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers]]\\ | + | [[https://www.ubuntupit.com/best-linux-hardening-security-tips-a-comprehensive-checklist/]] |
- | [[https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics]] | + |