This is an old revision of the document!
This document should outline a few steps that are useful after a fresh install of an Ubuntu Server.
If you are dealing with a minimal installation (meta-package ubuntu-minimal) you may want to beef it up a bit. Check what packages are typically bundled e.g. when installing Ubuntu Server or just select your server style:
tasksel # ncurses GUI tasksel --list-tasks tasksel --task-packages server
Some additional packages for easier CLI handling:
sudo apt-get install bash-completion ubuntu-release-upgrader-core software-properties-common
If you need Oracle Java install it from this 3rd party repo (which is updated regularly):
sudo add-apt-repository ppa:webupd8team/java sudo apt-get update sudo apt-get install oracle-java8-installer
Their documentation is a little messy, here are the relevant pages:
A good baseline is to only allow logins via public key authentication (disable password authentication), except for a fallback user with a very long and complex password. See these lines in /etc/ssh/sshd_config
:
PasswordAuthentication no # <snip> # Match-block at end of file for exceptions: Match User fallbackuser PasswordAuthentication yes
Ubuntu tutorials:
https://help.ubuntu.com/community/SSH/OpenSSH/Keys
https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
Further harden OpenSSH according to the secure secure shell guide
Quickly enable unattended upgrades:
sudo dpkg-reconfigure -plow unattended-upgrades
Unattended upgrades are configured in /etc/apt/apt.conf.d/50unattended-upgrades
For machines with limited disk space you should also enable automatic removing of unused kernels by setting Unattended-Upgrade::Remove-Unused-Dependencies
to true
(works in Ubuntu 16.04).
Unattended-Upgrade::Remove-Unused-Dependencies seems to be broken in Ubuntu 14.04! This entry in /etc/crontab
should do the trick by daily executing autoremove:
0 0 * * * root apt-get autoremove -y >> /var/log/autoremovecronjob.log 2>&1
https://help.ubuntu.com/community/AutomaticSecurityUpdates
https://help.ubuntu.com/16.04/serverguide/automatic-updates.html
Add a line to /etc/sysctl.conf
and override the default swappiness of 60 with a much lower value, e.g.
vm.swappiness=10
Have a look at at e.g. chkrootkit and tiger tiger