Justahobby01

Ubuntu Server

The steps taken to setup a Ubuntu web server.

Update

Update Aptitude:

sudo apt-get update

Justahobby01

Table of Contents

• Basic security measures
  • Update server
  • Add new privileged user account
  • Upload your SSH key
  • Lock down your SSH
  • Setup a basic firewall
  • Install fail2ban
• Nginx reverse proxy setup

Justahobby01

New Server Setup (Reasonably Secure Ubuntu Box)

Basic setup for a new box:

blocks password logins - need to use public key blocks bruteforcing w/ fail2ban ufw/iptables to allow only SSH/HTTP/HTTPS from public weekly auto security updates vi unattended-upgrades basic setup

Justahobby01

WARNING

May contain out of date information. Check the comments below!

The list of actions listed below was taken mostly from Book Of Zeus with minor modifications and did the job well for Ubuntu version, which was available at that moment (May 2016). This gist was created for internal use and was never meant to be discovered by the web, although Google managed to find and index this page, which was a great surprise for me. Please check the original source for the updated information (links are provided in most of the sections), and read the comments below: they provide more details about the usage experience.

System Updates

http://bookofzeus.com/harden-ubuntu/initial-setup/system-updates/

Keeping the system updated is vital before starting anything on your system. This will prevent people to use known vulnerabilities to enter in your system.

Justahobby01

# Disable Commercial Repo
sed -i "s/^deb/\#deb/" /etc/apt/sources.list.d/pve-enterprise.list
apt-get update

# Add PVE Community Repo
echo "deb http://download.proxmox.com/debian/pve $(grep "VERSION=" /etc/os-release | sed -n 's/.*(\(.*\)).*/\1/p') pve-no-subscription" > /etc/apt/sources.list.d/pve-no-enterprise.list
apt-get update

# Remove nag
echo "DPkg::Post-Invoke { \"dpkg -V proxmox-widget-toolkit | grep -q '/proxmoxlib\.js$'; if [ \$? -eq 1 ]; then { echo 'Removing subscription nag from UI...'; sed -i '/data.status/{s/\!//;s/Active/NoMoreNagging/}' /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js; }; fi\"; };" > /etc/apt/apt.conf.d/no-nag-script

Justahobby01

Proxmox Assign Bind Mount To Unprivileged Container

In order for the LXC container to have full access the proxmox host directory, a subgid is set as owner of a host directory, and an ACL is used to ensure permissions.

Bind Mount dataset to LXC

Add the following line to /etc/pve/lxc/<CT_ID>.conf

mp0:/mount/point/on/host,mp=/mount/point/on/lxc

Create group on host

In the default Proxmox configuration, unpriviliged container subgids will have the prefix "10" followed by the expected 4-digit gid.

Justahobby01

Proxmox Assign Bind Mount To Unprivileged Container

In order for the LXC container to have full access the proxmox host directory, a subgid is set as owner of a host directory, and an ACL is used to ensure permissions.

Bind Mount dataset to LXC

Add the following line to /etc/pve/lxc/<CT_ID>.conf

mp0:/mount/point/on/host,mp=/mount/point/on/lxc

OR

pct set 100 -mp0 /mnt/bindmounts/shared,mp=/shared

Justahobby01

Backup a Raspberry Pi to Proxmox Backup Server using the Proxmox Backup Client

This works on a Pi 4, and should work on a Pi 3, but to work on a Pi Zero you would have to figure out how to compile your own client. More info in this thread on the Proxmox forums.

Determine if your Pi is 32bit or 64bit

Run the following command. If you get arm64, it's 64bit, otherwise you'll see armv7l which is 32bit.

uname -m