User Tools

Site Tools


ubuntu_server_setup

Ubuntu Server Setup

This document should outline a few steps that are useful after a fresh install of an Ubuntu Server.

Basic Packages

If you are dealing with a minimal installation (meta-package ubuntu-minimal) you may want to beef it up a bit. Check what packages are typically bundled e.g. when installing Ubuntu Server or just select your server style:

tasksel # ncurses GUI
tasksel --list-tasks
tasksel --task-packages server

Some additional packages for easier CLI handling:

sudo apt-get install bash-completion ubuntu-release-upgrader-core software-properties-common

Oracle Java

If you need Oracle Java install it from this 3rd party repo (which is updated regularly):

sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java8-installer

original source, more info @ ubuntuusers.de

Lighttpd

OpenSSH

Disable root login in /etc/ssh/sshd_config:

PermitRootLogin no

A good baseline is to only allow logins via public key authentication (disable password authentication), except for a fallback user with a very long and complex password. See these lines in /etc/ssh/sshd_config:

PasswordAuthentication no

# <snip>
# Match-block at end of file for exceptions:

Match User fallbackuser
  PasswordAuthentication yes

Ubuntu tutorials: https://help.ubuntu.com/community/SSH/OpenSSH/Keys
https://help.ubuntu.com/community/SSH/OpenSSH/Configuring

Further harden OpenSSH according to the secure secure shell guide

Enable Automatic Security Updates

Quickly enable unattended upgrades:

sudo dpkg-reconfigure -plow unattended-upgrades

This creates the file /etc/apt/apt.conf.d/20auto-upgrades.

Then set Unattended-Upgrade::Remove-Unused-Dependencies to true in /etc/apt/apt.conf.d/50unattended-upgrades.

See also:

Ubuntu <= 14.04

Unattended-Upgrade::Remove-Unused-Dependencies seems to be broken in Ubuntu 14.04. This entry in /etc/crontab should do the trick by daily executing autoremove:

0  0    * * *   root    apt-get autoremove -y >> /var/log/autoremovecronjob.log 2>&1

Decrease Swappiness

Add a line to /etc/sysctl.conf and override the default swappiness of 60 with a much lower value, e.g.

vm.swappiness=10

http://wiki.ubuntuusers.de/Swap

Root Kit & Intrusion Detection

Have a look at at e.g. chkrootkit and tiger tiger

Greeting

If you fancy a nice greeting message:

/etc/update-motd.d/99-greeting
#!/bin/bash
 
# http://patorjk.com/software/taag/#p=display&h=1&f=Calvin%20S&t=my-server-name
echo "┌┬┐┬ ┬   ┌─┐┌─┐┬─┐┬  ┬┌─┐┬─┐   ┌┐┌┌─┐┌┬┐┌─┐"
echo "│││└┬┘───└─┐├┤ ├┬┘└┐┌┘├┤ ├┬┘───│││├─┤│││├┤ "
echo "┴ ┴ ┴    └─┘└─┘┴└─ └┘ └─┘┴└─   ┘└┘┴ ┴┴ ┴└─┘"
 
# or alternatively
# figlet my-server-name

More Resources

ubuntu_server_setup.txt · Last modified: 2018/08/13 10:24 by mstraub