9 things I do after installing a fresh Linux server (Ubuntu)...

1. System upgrade

The first thing I do after installing new system is upgrade procedure. Linux distro images (ISO files) are released every few months and probably many of the packages were updated by their maintainers since the last ISO file was released. To keep your system up to date you need to perform regular upgrades.

I prefer apt-get tool for this,

# apt-get update
# apt-get dist-upgrade -y

hint: remember to reboot your system if the kernel package was upgraded

2. Set default text editor

I use only one text editor Vim... Vim has many advantages and one of them is that it is available out of the box in almost all Linux distros. To configure Vim as default system text editor I use update-alternatives tool,

$ update-alternatives --config editor
There are 4 choices for the alternative editor (providing /usr/bin/editor).

Selection    Path                Priority   Status
------------------------------------------------------------
* 0            /bin/nano            40        auto mode
  1            /bin/ed             -100       manual mode
  2            /bin/nano            40        manual mode
  3            /usr/bin/vim.basic   30        manual mode
  4            /usr/bin/vim.tiny    10        manual mode

Press <enter> to keep the current choice[*], or type selection number:
Chose option **3** and confirm. From now the tools like visudo, crontab will run Vim to edit config files.

3. SSH security - AllowUsers

If the server is used by the limited number of users, it's worth to disable login option for all but trusted users. It is quite simple when you use OpenSSH (the most popular SSH server),

# vi /etc/ssh/sshd_config

add new line,

AllowUsers jamzed

and restart sshd service,

# sshd -t

this will check the configuration file systax, if no errors you can execute

# service sshd restart

After sshd restart only the jamzed user will be able to login.

hint: you can safely restart sshd service and your SSH session won't be disconnected

4. SSH security - PubkeyAuthentication

Passwords, passwords, passwords... I don't like to type my password every time I login to my server. Fortunatelly we have the ability to log in to the servers using public and private keys. Every modern Linux distro has enabled PubkeyAuthentication (in /etc/ssh/sshd_config) option by default, so all what we need to do is just to generate a pair of keys and copy the public key to the server.

$ ssh-keygen -b 4096 -C my_key

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:iWpy+YnHAaQd98yfVMO45k2y0GZfouugBArd5K8RiHg my_key

The key's randomart image is:
+---[RSA 4096]----+
|           o     |
|    o .   . +    |
|   +.o + . o .   |
|.o.=o  .=.O o .  |
|+ E =.. SO O o   |
| o . *.   * o    |
|  o *.o..  .     |
|   + *oo ..      |
|    o.+  ..      |
+----[SHA256]-----+

Passhphrase is password to the private key, I highly recommend to set some and use ssh-agent. ssh-agent is like a keychain, you can import private key (the passphrase will be required once) and use it many times.

ssh-keygen command generates a pair of keys, private and public, remember that the private key (~/.ssh/id_rsa) should be secured as high as possible, it is only for you, you can only share the public key (~/.ssh/id_rsa.pub).

When your keys are generated, you can copy the public key to the server. You can use script ssh-copy-id or just copy/paste the content of the id_rsa.pub.

• ssh-copy-id [email protected]
• copy/paste the content to [email protected]:.ssh/authorized_keys

I will use ssh-copy-id,

# ssh-copy-id 192.168.1.1
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"

The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ECDSA key fingerprint is SHA256:lkBZQlRAuh7RE56QK5hSst9TvqxOxGS6A0hMe3nVJfQ.

Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

[email protected]'s password:
Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '192.168.1.1'"
and check to make sure that only the key(s) you wanted were added.

Our public key has been uploaded and we can ssh using key authentication method. ;-)

5. SSH - PasswordAuthentication

When the public key is uploaded and we are able to login without password, it's time to disable password authentication method.

# vi /etc/ssh/sshd_config

and add the line,

PasswordAuthentication no

If this line already exist but is set to yes you can change it to no and reload ssh daemon.

6. fail2ban

fail2ban scans log files and bans IPs that show the malicious signs. The perfect usage is tracking invalid SSH logins and block IP addresses which try to brute force users password. The default setting is 5 attempts and the IP will be blocked for an hour :) This is perfect mechanism to block any robots and automatics network scans.

# apt-get install fail2ban

And this is all what you need to install it, the good practice is to whitelist your home IP, to avoid any issues.

# vi /etc/fail2ban/jail.conf

and update ignoreip setting,

ignoreip = 127.0.0.1/8 your.ip.addre.ss

7. Firewall (iptables)

When it comes to firewalls I confess only one rule, block everything and allow only what is necessary. The simplest set of my rules is,

# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# iptables -A INPUT -p icmp -j ACCEPT
# iptables -P INPUT DROP

which is equivalent to,

• enable stateful firewall (conntrack)
• allow incoming traffic to loopback interface
• block invalid packets (invalid headers or checksums, invalid TCP flags, invalid ICMP messages)
• allow SSH connections (port TCP/22)
• allow PING requests
• drop everything else

In Ubuntu Linux, if you want to save and load firewall policy at system startup, you need to install one extra package, iptables-persistent

# apt-get install iptables-persistent

During installation you will be asked if you want to save the current set of the rules, if you already made any changes in firewall configuration you can chose 'YES'.

To save iptables configuration you need to run,

# /etc/init.d/netfilter-persistent save

hint: iptables configuration files are in location: /etc/iptables/rules.v4 for IPv4 and /etc/iptables/rules.v6 for IPv6

8. System stats and monitoring

I like to know what is happening with my servers and have possibility to check the current load, cpu, disk or memory usage. I use many tools for that, also external monitoring system, but for quick local troubleshooting I use:

• sysstat
• vnstat
• iotop
• iftop
• bwm-ng
• htop
• munin

To install all of them you can run,

# apt-get install sysstat vnstat iotop iftop bwm-ng htop munin

• sysstat - collection of tools for system monitoring, (disk, cpu, memory), sysstat let you collect some metrics and use historical data

• vnstat - network statistics, you can see what is your traffic, daily/weekly/monthly/etc...

• iotop - tool for I/O monitoring, you can easily check which process generate high disk usage

• iftop - network usage monitor

• bwm-ng - bandwidth monitor

• htop - top on steroids ;-)

• munin - system statistics/graphs, it has a lot of plugins ready to use (disk, memory, cpu, uptime, apache traffic, nginx traffic, memcached, mysql), if something is missing you can write your own script and monitor whatever you need.

9. sudo

sudo is a tool that allows users to run programs with the security privileges of another user, by default the root. When you install Ubuntu the installer creates unprivileged user account and add it to the sudo group, this trick lets you manage the system without direct access to root account.

Behind the UI installer execute command like this:

# adduser username sudo

Users in sudo group can execute all commands with root privileges without knowing root password, only their own password will be required,

# sudo /bin/command

If you want to grant sudo permission to user (testuser) to run specific command (/sbin/reboot) without asking for password you can use Visual Sudo Editor visudo (it will open /etc/sudoers file) and add below line:

testuser ALL=(ALL) NOPASSWD: /sbin/reboot

hint: if you want to switch user to root you can run: sudo su - root

---

Posted on Utopian.io - Rewarding Open Source Contributors

---