Differences

This shows you the differences between two versions of the page.

--- ubuntu_server_setup [2017/11/23 13:39]
mstraub [Enable Automatic Security Updates]
+++ ubuntu_server_setup [2021/08/26 16:32]
mstraub [Java]
@@ Line 1: / Line 1: @@
 ====== Ubuntu Server Setup ======
-This document should outline a few steps that are useful after a fresh install of an Ubuntu Server.
+This document should outline a few steps that are useful after a fresh install of an Ubuntu Server - last updated for 20.04.
-===== Basic Packages =====
+===== Install Useful Tools =====
-If you are dealing with a minimal installation (meta-package ubuntu-minimal) you may want to beef it up a bit. Check what packages are typically bundled e.g. when installing Ubuntu Server or just select your server style:
+<code bash>
-<code>
+sudo apt install mlocate htop ncdu ranger tldr tree vim
-tasksel # ncurses GUI
-tasksel --list-tasks
-tasksel --task-packages server
 </code>
-Some additional packages for easier CLI handling:
+===== More Software =====
-<code>
-sudo apt-get install bash-completion ubuntu-release-upgrader-core software-properties-common
+==== Samba / CIFS ====
-</code>
-===== Oracle Java =====
+If you need to mount Windows network drives:
-If you need Oracle Java install it from this 3rd party repo (which is updated regularly):
 <code bash>
-sudo add-apt-repository ppa:webupd8team/java
+sudo apt install cifs-utils
-sudo apt-get update
-sudo apt-get install oracle-java8-installer
 </code>
-[[http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html|original source]], [[https://wiki.ubuntuusers.de/Java/Installation/Oracle_Java/Java_8|more info @ ubuntuusers.de]]
+==== Java ====
+If you are fine with the OpenJDK version that comes with your Ubuntu:
+<code bash>
+sudo apt install openjdk-11-jdk-headless
+</code>
+A good alternative if you want other versions is https://adoptopenjdk.net - they provide ppas for free.
 ===== Lighttpd =====
@@ Line 36: / Line 36: @@
 ===== OpenSSH =====
+Disable root login in ''/etc/ssh/sshd_config'':
+<code>
+PermitRootLogin no
+</code>
 A good baseline is to only allow logins via public key authentication (disable password authentication), except for a fallback user with a very long and complex password. See these lines in ''/etc/ssh/sshd_config'':
@@ Line 57: / Line 63: @@
 ===== Enable Automatic Security Updates =====
-Quickly enable unattended upgrades:
+Install unattended-upgrades:
+<code bash>
+sudo apt install unattended-upgrades
+</code>
+Or reconfigure it if it's already installed:
 <code bash>
 sudo dpkg-reconfigure -plow unattended-upgrades
 </code>
+This creates the file ''/etc/apt/apt.conf.d/20auto-upgrades''.
-Unattended upgrades are configured in ''/etc/apt/apt.conf.d/50unattended-upgrades''
+To avoid filling up small hard drives over time (e.g. with multiple kernel versions) it may be useful to activate the equivalent of ''sudo apt autoremove'':
-For machines with limited disk space you should also enable automatic removing of unused kernels by setting ''Unattended-Upgrade::Remove-Unused-Dependencies'' to ''true'' (works in Ubuntu 16.04).
+Set ''Unattended-Upgrade::Remove-Unused-Dependencies'' to ''true'' in ''/etc/apt/apt.conf.d/50unattended-upgrades''.
-FIXME Unattended-Upgrade::Remove-Unused-Dependencies seems to be broken in Ubuntu 14.04! This entry in ''/etc/crontab'' should do the trick by daily executing autoremove:
+See also:
+  * ''/etc/apt/apt.conf.d/20auto-upgrades'' (and ''man apt.conf'')
+  * [[https://help.ubuntu.com/community/AutomaticSecurityUpdates]]\\
+  * [[https://ubuntu.com/server/docs/package-management]]
-<code>
-  0    * * *   root    apt-get autoremove -y >> /var/log/autoremovecronjob.log 2>&1
-</code>
-[[https://help.ubuntu.com/community/AutomaticSecurityUpdates]]\\
-[[https://help.ubuntu.com/16.04/serverguide/automatic-updates.html]]
 ===== Decrease Swappiness =====
@@ Line 89: / Line 98: @@
 Have a look at at e.g. [[http://wiki.ubuntuusers.de/chkrootkit|chkrootkit]] and tiger [[http://www.nongnu.org/tiger/|tiger]]
+===== Greeting =====
+If you fancy a nice greeting message:
+<file bash /etc/update-motd.d/99-greeting>
+#!/bin/bash
+# http://patorjk.com/software/taag/#p=display&h=1&f=Calvin%20S&t=my-server-name
+# http://patorjk.com/software/taag/#p=display&h=1&v=0&f=ANSI%20Regular&t=my-server-name
+echo "┌┬┐┬ ┬   ┌─┐┌─┐┬─┐┬  ┬┌─┐┬─┐   ┌┐┌┌─┐┌┬┐┌─┐"
+echo "│││└┬┘───└─┐├┤ ├┬┘└┐┌┘├┤ ├┬┘───│││├─┤│││├┤ "
+echo "┴ ┴ ┴    └─┘└─┘┴└─ └┘ └─┘┴└─   ┘└┘┴ ┴┴ ┴└─┘"
+# or alternatively
+# figlet my-server-name
+</file>
+Don't forget to make the file executable.
+When using ''byobu'' delete ''~/.hushlogin'' to still see the greeting (and all other info you usually get when logging in).
 ===== More Resources =====
-[[http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers]]\\
+[[https://www.ubuntupit.com/best-linux-hardening-security-tips-a-comprehensive-checklist/]]
-[[https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics]]

Small heaps of code

User Tools

Site Tools

Differences

Page Tools