User Tools

Site Tools


ubuntu_server_setup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
ubuntu_server_setup [2016/06/20 12:49]
mstraub [Basic Packages]
ubuntu_server_setup [2021/10/18 16:19] (current)
mstraub [Java]
Line 1: Line 1:
 ====== Ubuntu Server Setup ====== ====== Ubuntu Server Setup ======
  
-This document should outline a few steps that are useful after a fresh install of an Ubuntu Server.+This document should outline a few steps that are useful after a fresh install of an Ubuntu Server ​- last updated for 20.04.
  
-===== Basic Packages ​=====+===== Install Useful Tools =====
  
-If you are dealing with a minimal installation (meta-package ubuntu-minimal) you may want to beef it up a bit. Check what packages are typically bundled e.g. when installing Ubuntu Server or just select your server style: +<​code ​bash
-<​code>​ +sudo apt install mlocate htop ncdu ranger tldr tree vim
-tasksel # ncurses GUI +
-tasksel --list-tasks +
-tasksel --task-packages server+
 </​code>​ </​code>​
  
-Some additional packages for easier CLI handling: +===== More Software ​===== 
-<​code>​ + 
-sudo apt-get install bash-completion ubuntu-release-upgrader-core software-properties-common +==== Samba / CIFS ==== 
-</​code>​ + 
-===== Oracle Java =====+If you need to mount Windows network drives:
  
-If you need Oracle Java install it from this 3rd party repo (which is updated regularly): 
 <code bash> <code bash>
-sudo add-apt-repository ppa:​webupd8team/​java +sudo apt install ​cifs-utils
-sudo apt-get update +
-sudo apt-get ​install ​oracle-java8-installer+
 </​code>​ </​code>​
  
-[[http://​www.webupd8.org/​2012/​09/​install-oracle-java-8-in-ubuntu-via-ppa.html|original source]], [[https://​wiki.ubuntuusers.de/​Java/​Installation/​Oracle_Java/​Java_8|more info @ ubuntuusers.de]]+==== Java ====
  
 +Ubuntu provides multiple versions of OpenJDK, e.g.:
  
 +<code bash>
 +sudo apt install openjdk-17-jdk-headless
 +</​code>​
 +
 +If you need other versions check https://​adoptium.net (previously named adoptopenjdk). Unfortunately as of 2021-10 they don't provide ppas but only .tar.gz files. But this may change soon.
 ===== Lighttpd ===== ===== Lighttpd =====
  
Line 36: Line 36:
  
 ===== OpenSSH ===== ===== OpenSSH =====
 +
 +Disable root login in ''/​etc/​ssh/​sshd_config'':​
 +
 +<​code>​
 +PermitRootLogin no
 +</​code>​
  
 A good baseline is to only allow logins via public key authentication (disable password authentication),​ except for a fallback user with a very long and complex password. See these lines in ''/​etc/​ssh/​sshd_config'':​ A good baseline is to only allow logins via public key authentication (disable password authentication),​ except for a fallback user with a very long and complex password. See these lines in ''/​etc/​ssh/​sshd_config'':​
Line 57: Line 63:
 ===== Enable Automatic Security Updates ===== ===== Enable Automatic Security Updates =====
  
-Quickly enable ​unattended upgrades:+Install ​unattended-upgrades
 + 
 +<code bash> 
 +sudo apt install unattended-upgrades 
 +</​code>​ 
 + 
 +Or reconfigure it if it's already installed:
 <code bash> <code bash>
 sudo dpkg-reconfigure -plow unattended-upgrades sudo dpkg-reconfigure -plow unattended-upgrades
 </​code>​ </​code>​
 +This creates the file ''/​etc/​apt/​apt.conf.d/​20auto-upgrades''​.
  
-Unattended upgrades are configured in ''​/etc/apt/​apt.conf.d/​50unattended-upgrades''​+To avoid filling up small hard drives over time (e.g. with multiple kernel versions) it may be useful to activate the equivalent of ''​sudo apt autoremove''​:
  
-For machines with limited disk space you should also enable automatic removing of unused kernels by setting ​''​Unattended-Upgrade::​Remove-Unused-Dependencies''​ to ''​true''​+Set ''​Unattended-Upgrade::​Remove-Unused-Dependencies''​ to ''​true'' ​in ''/​etc/​apt/​apt.conf.d/​50unattended-upgrades''​.
  
-FIXME Unattended-Upgrade::​Remove-Unused-Dependencies seems to be broken in Ubuntu 14.04! This entry in ''/​etc/​crontab'' ​should do the trick by daily executing autoremove:+See also: 
 +  * ''/​etc/​apt/​apt.conf.d/​20auto-upgrades'' ​(and ''​man apt.conf''​) 
 +  * [[https://​help.ubuntu.com/​community/​AutomaticSecurityUpdates]]\\ 
 +  * [[https://​ubuntu.com/​server/​docs/​package-management]]
  
-<​code>​ 
-0  0    * * *   ​root ​   apt-get autoremove -y >> /​var/​log/​autoremovecronjob.log 2>&1 
-</​code>​ 
- 
- 
-[[https://​help.ubuntu.com/​community/​AutomaticSecurityUpdates]]\\ 
-[[https://​help.ubuntu.com/​14.04/​serverguide/​automatic-updates.html]] 
  
 ===== Decrease Swappiness ===== ===== Decrease Swappiness =====
Line 89: Line 98:
 Have a look at at e.g. [[http://​wiki.ubuntuusers.de/​chkrootkit|chkrootkit]] and tiger [[http://​www.nongnu.org/​tiger/​|tiger]] Have a look at at e.g. [[http://​wiki.ubuntuusers.de/​chkrootkit|chkrootkit]] and tiger [[http://​www.nongnu.org/​tiger/​|tiger]]
  
 +===== Greeting =====
 +
 +If you fancy a nice greeting message:
 +
 +<file bash /​etc/​update-motd.d/​99-greeting>​
 +#!/bin/bash
 +
 +# http://​patorjk.com/​software/​taag/#​p=display&​h=1&​f=Calvin%20S&​t=my-server-name
 +# http://​patorjk.com/​software/​taag/#​p=display&​h=1&​v=0&​f=ANSI%20Regular&​t=my-server-name
 +echo "​┌┬┐┬ ┬   ​┌─┐┌─┐┬─┐┬ ​ ┬┌─┐┬─┐ ​  ​┌┐┌┌─┐┌┬┐┌─┐"​
 +echo "​│││└┬┘───└─┐├┤ ├┬┘└┐┌┘├┤ ├┬┘───│││├─┤│││├┤ "
 +echo "┴ ┴ ┴    └─┘└─┘┴└─ └┘ └─┘┴└─ ​  ​┘└┘┴ ┴┴ ┴└─┘"​
 +
 +# or alternatively
 +# figlet my-server-name
 +</​file>​
 +
 +Don't forget to make the file executable.
 +
 +When using ''​byobu''​ delete ''​~/​.hushlogin''​ to still see the greeting (and all other info you usually get when logging in).
 ===== More Resources ===== ===== More Resources =====
  
-[[http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers]]\\ +[[https://www.ubuntupit.com/best-linux-hardening-security-tips-a-comprehensive-checklist/]]
-[[https://​www.thefanclub.co.za/​how-to/​how-secure-ubuntu-1204-lts-server-part-1-basics]]+
ubuntu_server_setup.1466419785.txt.gz · Last modified: 2016/06/20 12:49 by mstraub