Skip to content

Instantly share code, notes, and snippets.

@malefs

malefs/ubuntu-server-setup.md

Forked from raikel/ubuntu-server-setup.md
Created April 15, 2020 11:11
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save malefs/09ab278a6575caadeb911cf6a6cdc652 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save malefs/09ab278a6575caadeb911cf6a6cdc652 to your computer and use it in GitHub Desktop.
Download ZIP
Ubuntu server setup
Raw
ubuntu-server-setup.md

Avoid ssh lost connection due to innactivity

On the server, edit the file /etc/ssh/sshd_config:

ClientAliveInterval 30
ClientAliveCountMax 10

Next, restart ssd service, sudo systemctl restart ssd

On the client, edit the file /etc/ssh/ssh_config:

ServerAliveInterval 30
ServerAliveCountMax 10

Set server timezone

sudo timedatectl set-timezone America/Mexico_City

Config SSH

# sudo nano /etc/ssh/sshd_config

PasswordAuthentication no
PermitRootLogin no

Config iptables

sudo apt install iptables-persistent netfilter-persistent

Disable default firewall

sudo systemctl stop ufw
sudo systemctl disable ufw
sudo apt remove ufw

sudo apt install iptables-persistent netfilter-persistent

Edit iptables rules on /etc/iptables/rules.v4, load rules, check rules and enable service:

iptables-restore  < /etc/iptables/rules.v4
sudo iptables -L
systemctl start   netfilter-persistent
systemctl enable netfilter-persistent

Fail2ban setup

sudo apt-get install fail2ban

# sudo nano /etc/fail2ban/jail.local

[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

banaction = iptables-multiport

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 1

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

See fail2ban logs, jail status

sudo nano /var/log/fail2ban.log
sudo fail2ban-client status sshd

Automatic updates

sudo apt install unattended-upgrades

Edit /etc/apt/apt.conf.d/50unattended-upgrades. Uncomment the line "${distro_id}:${distro_codename}-updates";. Optionally, modify the folllowing lines:

Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:38";

Edit /etc/apt/apt.conf.d/20auto-upgrades with settings below (time interval specified in days)

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";

To check if automatic updates works:

sudo unattended-upgrades --dry-run --debug

To check auto aupdates logs

cat /var/log/unattended-upgrades/unattended-upgrades.log

Optional

Remove unnncessary services

# See open ports
sudo netstat -tulpn
sudo ss -tulpn
sudo lsof -i -n -P

# Stop and remove services
sudo systemctl stop rpcbind
sudo systemctl disable rpcbind
sudo yum remove rpcbind

Enable syntax hightlight on nano

# nano ~/.nanorc

include /usr/share/nano/sh.nanorc
include /usr/share/nano/php.nanorc
include /usr/share/nano/html.nanorc
include /usr/share/nano/css.nanorc

Solve "dpkg was interrupted you must manually run..."

cd /var/lib/dpkg/updates
sudo rm *
sudo apt-get update
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment