====== Ubuntu Server Setup ======

This document should outline a few steps that are useful after a fresh install of an Ubuntu Server - last updated for 20.04.

===== Install Useful Tools =====

<code bash>
sudo apt install mlocate htop ncdu ranger tldr tree vim
</code>

===== More Software =====

==== Samba / CIFS ====

If you need to mount Windows network drives:

<code bash>
sudo apt install cifs-utils
</code>

==== Java ====

Ubuntu provides multiple versions of OpenJDK, e.g.:

<code bash>
sudo apt install openjdk-17-jdk-headless
</code>

If you need other versions check https://adoptium.net (previously named adoptopenjdk). Unfortunately as of 2021-10 they don't provide ppas but only .tar.gz files. But this may change soon.
===== Lighttpd =====

Their documentation is a little messy, here are the relevant pages:
  * http://redmine.lighttpd.net/projects/lighttpd/wiki/TutorialConfiguration
  * http://redmine.lighttpd.net/projects/1/wiki/HowToSimpleSSL
  * http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL

===== OpenSSH =====

Disable root login in ''/etc/ssh/sshd_config'':

<code>
PermitRootLogin no
</code>

A good baseline is to only allow logins via public key authentication (disable password authentication), except for a fallback user with a very long and complex password. See these lines in ''/etc/ssh/sshd_config'':
<code>
PasswordAuthentication no

# <snip>
# Match-block at end of file for exceptions:

Match User fallbackuser
  PasswordAuthentication yes
</code>

Ubuntu tutorials:
[[https://help.ubuntu.com/community/SSH/OpenSSH/Keys]] \\
[[https://help.ubuntu.com/community/SSH/OpenSSH/Configuring]]

Further harden OpenSSH according to the [[https://stribika.github.io/2015/01/04/secure-secure-shell.html|secure secure shell guide]]


===== Enable Automatic Security Updates =====

Install unattended-upgrades:

<code bash>
sudo apt install unattended-upgrades
</code>

Or reconfigure it if it's already installed:
<code bash>
sudo dpkg-reconfigure -plow unattended-upgrades
</code>
This creates the file ''/etc/apt/apt.conf.d/20auto-upgrades''.

To avoid filling up small hard drives over time (e.g. with multiple kernel versions) it may be useful to activate the equivalent of ''sudo apt autoremove'':

Set ''Unattended-Upgrade::Remove-Unused-Dependencies'' to ''true'' in ''/etc/apt/apt.conf.d/50unattended-upgrades''.

See also:
  * ''/etc/apt/apt.conf.d/20auto-upgrades'' (and ''man apt.conf'')
  * [[https://help.ubuntu.com/community/AutomaticSecurityUpdates]]\\
  * [[https://ubuntu.com/server/docs/package-management]]


===== Decrease Swappiness =====

Add a line to ''/etc/sysctl.conf'' and override the default swappiness of 60 with a much lower value, e.g. 
<code>
vm.swappiness=10
</code>

[[http://wiki.ubuntuusers.de/Swap]]

===== Root Kit & Intrusion Detection =====

Have a look at at e.g. [[http://wiki.ubuntuusers.de/chkrootkit|chkrootkit]] and tiger [[http://www.nongnu.org/tiger/|tiger]]

===== Greeting =====

If you fancy a nice greeting message:

<file bash /etc/update-motd.d/99-greeting>
#!/bin/bash

# http://patorjk.com/software/taag/#p=display&h=1&f=Calvin%20S&t=my-server-name
# http://patorjk.com/software/taag/#p=display&h=1&v=0&f=ANSI%20Regular&t=my-server-name
echo "┌┬┐┬ ┬   ┌─┐┌─┐┬─┐┬  ┬┌─┐┬─┐   ┌┐┌┌─┐┌┬┐┌─┐"
echo "│││└┬┘───└─┐├┤ ├┬┘└┐┌┘├┤ ├┬┘───│││├─┤│││├┤ "
echo "┴ ┴ ┴    └─┘└─┘┴└─ └┘ └─┘┴└─   ┘└┘┴ ┴┴ ┴└─┘"

# or alternatively
# figlet my-server-name
</file>

Don't forget to make the file executable.

When using ''byobu'' delete ''~/.hushlogin'' to still see the greeting (and all other info you usually get when logging in).
===== More Resources =====

[[https://www.ubuntupit.com/best-linux-hardening-security-tips-a-comprehensive-checklist/]]