Skip to content

Instantly share code, notes, and snippets.

@raikel

raikel/ubuntu-server-setup.md

Last active October 11, 2024 21:46
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save raikel/4f7585ab3da1ab3df173851d77e01fd2 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save raikel/4f7585ab3da1ab3df173851d77e01fd2 to your computer and use it in GitHub Desktop.
Download ZIP
Ubuntu server setup
Raw
ubuntu-server-setup.md

Avoid ssh lost connection due to innactivity

On the server, edit the file /etc/ssh/sshd_config:

ClientAliveInterval 30
ClientAliveCountMax 10

Next, restart ssd service, sudo systemctl restart ssd

On the client, edit the file /etc/ssh/ssh_config:

ServerAliveInterval 30
ServerAliveCountMax 10

Set server timezone

sudo timedatectl set-timezone America/Mexico_City

Config SSH

# sudo nano /etc/ssh/sshd_config

PasswordAuthentication no
PermitRootLogin no
PermitEmptyPasswords no

Secure Shared Memory

sudo nano /etc/fstab
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

Disable root account

# Ensure first that an account with sudo permissions exists and can login via SSH!!!
adduser paul
usermod -aG sudo paul

sudo passwd -l root

Make Sure No Non-Root Accounts Have UID Set To 0

awk -F: '($3 == "0") {print}' /etc/passwd
# You should only see one line as follows:
# root:x:0:0:root:/root:/bin/bash

Config iptables

sudo apt install iptables-persistent netfilter-persistent

Disable default firewall

sudo systemctl stop ufw
sudo systemctl disable ufw
sudo apt remove ufw

Edit iptables rules on /etc/iptables/rules.v4, load rules, check rules and enable service:

iptables-restore  < /etc/iptables/rules.v4
sudo iptables -L
systemctl start   netfilter-persistent
systemctl enable netfilter-persistent

Fail2ban setup

sudo apt-get install fail2ban

# sudo nano /etc/fail2ban/jail.local

[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

banaction = iptables-multiport

[sshd]
enabled = true
filter = sshd[mode=aggressive]
maxretry = 1

Specific configuration for nginx can be found here

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

See fail2ban logs, jail status

sudo fail2ban-client status # list active jails
sudo nano /var/log/fail2ban.log # see logs
sudo fail2ban-client status sshd # see jail status
sudo fail2ban-client unban --all # unban all

Automatic updates

sudo apt install unattended-upgrades

Edit /etc/apt/apt.conf.d/50unattended-upgrades. Uncomment the line "${distro_id}:${distro_codename}-updates";. Optionally, modify the folllowing lines:

Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:38";

Edit /etc/apt/apt.conf.d/20auto-upgrades with settings below (time interval specified in days)

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";

To check if automatic updates works:

sudo unattended-upgrades --dry-run --debug

To check auto aupdates logs

cat /var/log/unattended-upgrades/unattended-upgrades.log

Optional

Disable IPv6

sudo nano /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# Load changes
sudo sysctl -p

Remove unnncessary services

# See open ports
sudo netstat -tulpn
sudo ss -tulpn
sudo lsof -i -n -P

# Stop and remove services
sudo systemctl stop rpcbind
sudo systemctl disable rpcbind
sudo yum remove rpcbind

Enable syntax hightlight on nano

# nano ~/.nanorc

include /usr/share/nano/sh.nanorc
include /usr/share/nano/php.nanorc
include /usr/share/nano/html.nanorc
include /usr/share/nano/css.nanorc

Solve "dpkg was interrupted you must manually run..."

cd /var/lib/dpkg/updates
sudo rm *
sudo apt-get update
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment