ubuntu_server_setup
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
ubuntu_server_setup [2017/11/23 13:39] mstraub [Enable Automatic Security Updates] |
ubuntu_server_setup [2018/08/13 10:23] mstraub [OpenSSH] |
||
|---|---|---|---|
| Line 36: | Line 36: | ||
| ===== OpenSSH ===== | ===== OpenSSH ===== | ||
| + | |||
| + | Disable root login in ''/etc/ssh/sshd_config'': | ||
| + | |||
| + | <code> | ||
| + | PermitRootLogin no | ||
| + | </code> | ||
| A good baseline is to only allow logins via public key authentication (disable password authentication), except for a fallback user with a very long and complex password. See these lines in ''/etc/ssh/sshd_config'': | A good baseline is to only allow logins via public key authentication (disable password authentication), except for a fallback user with a very long and complex password. See these lines in ''/etc/ssh/sshd_config'': | ||
| Line 62: | Line 68: | ||
| </code> | </code> | ||
| - | Unattended upgrades are configured in ''/etc/apt/apt.conf.d/50unattended-upgrades'' | + | Then set ''Unattended-Upgrade::Remove-Unused-Dependencies'' to ''true'' in ''/etc/apt/apt.conf.d/50unattended-upgrades''. |
| - | For machines with limited disk space you should also enable automatic removing of unused kernels by setting ''Unattended-Upgrade::Remove-Unused-Dependencies'' to ''true'' (works in Ubuntu 16.04). | + | See also: |
| + | * ''/etc/apt/apt.conf.d/20auto-upgrades'' (and ''man apt.conf'') | ||
| + | * [[https://help.ubuntu.com/community/AutomaticSecurityUpdates]]\\ | ||
| + | * [[https://help.ubuntu.com/16.04/serverguide/automatic-updates.html]] | ||
| - | FIXME Unattended-Upgrade::Remove-Unused-Dependencies seems to be broken in Ubuntu 14.04! This entry in ''/etc/crontab'' should do the trick by daily executing autoremove: | + | ==== Ubuntu <= 14.04 ==== |
| + | Unattended-Upgrade::Remove-Unused-Dependencies seems to be broken in Ubuntu 14.04. This entry in ''/etc/crontab'' should do the trick by daily executing autoremove: | ||
| <code> | <code> | ||
| Line 73: | Line 83: | ||
| - | [[https://help.ubuntu.com/community/AutomaticSecurityUpdates]]\\ | ||
| - | [[https://help.ubuntu.com/16.04/serverguide/automatic-updates.html]] | ||
| ===== Decrease Swappiness ===== | ===== Decrease Swappiness ===== | ||
| Line 89: | Line 97: | ||
| Have a look at at e.g. [[http://wiki.ubuntuusers.de/chkrootkit|chkrootkit]] and tiger [[http://www.nongnu.org/tiger/|tiger]] | Have a look at at e.g. [[http://wiki.ubuntuusers.de/chkrootkit|chkrootkit]] and tiger [[http://www.nongnu.org/tiger/|tiger]] | ||
| + | ===== Greeting ===== | ||
| + | |||
| + | If you fancy a nice greeting message: | ||
| + | |||
| + | <file bash /etc/update-motd.d/99-greeting> | ||
| + | #!/bin/bash | ||
| + | |||
| + | # http://patorjk.com/software/taag/#p=display&h=1&f=Calvin%20S&t=my-server-name | ||
| + | echo "┌┬┐┬ ┬ ┌─┐┌─┐┬─┐┬ ┬┌─┐┬─┐ ┌┐┌┌─┐┌┬┐┌─┐" | ||
| + | echo "│││└┬┘───└─┐├┤ ├┬┘└┐┌┘├┤ ├┬┘───│││├─┤│││├┤ " | ||
| + | echo "┴ ┴ ┴ └─┘└─┘┴└─ └┘ └─┘┴└─ ┘└┘┴ ┴┴ ┴└─┘" | ||
| + | |||
| + | # or alternatively | ||
| + | # figlet my-server-name | ||
| + | </file> | ||
| ===== More Resources ===== | ===== More Resources ===== | ||
| [[http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers]]\\ | [[http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers]]\\ | ||
| [[https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics]] | [[https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics]] | ||
ubuntu_server_setup.txt · Last modified: 2021/10/18 16:19 by mstraub
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
