Skip to content

Instantly share code, notes, and snippets.

@thelegendofbrian

thelegendofbrian/Ubuntu Server Initial Setup (Outdated).markdown

Last active May 27, 2017 00:59
Show Gist options
  • Save thelegendofbrian/63a81b4e0425d8410932 to your computer and use it in GitHub Desktop.
Save thelegendofbrian/63a81b4e0425d8410932 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Ubuntu Server Initial Setup (Outdated).markdown

Ubuntu Server Initial Setup (Outdated)

Update

sudo apt-get update
sudo apt-get upgrade

Install fail2ban

sudo apt-get install fail2ban

Make a user to work on

sudo useradd -m -G wheel brian
sudo usermod -c "Brian Cook" brian
sudo passwd brian

Edit sudoers

sudo visudo
[uncomment: %wheel ALL=(ALL) ALL]

Set up SSH

sudo mkdir /home/brian/.ssh
sudo chmod 700 /home/brian/.ssh

Paste your public key into authorized_keys.

sudo nano /home/brian/.ssh/authorized_keys
sudo chmod 400 /home/brian/.ssh/authorized_keys
sudo chown brian:brian /home/brian -R

Edit sshd_config

sudo nano /etc/ssh/sshd_config

Limit who can SSH in and disable passwords

PermitRootLogin no
PasswordAuthentication no
AllowUsers brian@(your-ip) deploy@(another-ip)

Restart SSH

sudo service ssh restart

Setup firewall

sudo ufw allow from {your-ip} to any port 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable

Enable automatic security updates

sudo apt-get install unattended-upgrades

Edit

sudo nano /etc/apt/apt.conf.d/10periodic

to include

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Edit

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

to include

Unattended-Upgrade::Allowed-Origins {
        "Ubuntu lucid-security";
//      "Ubuntu lucid-updates";
};

Install Logwatch

sudo apt-get install logwatch

Edit

sudo nano /etc/cron.daily/00logwatch

by adding

/usr/sbin/logwatch --output mail --mailto [email protected] --detail high

Make BASH the default shell, but first get PAM off your butt

sudo nano /etc/pam.d/chsh

and comment out the line to look like

#auth required pam_shells.so

then make BASH the default shell

sudo chsh -s /bin/bash brian

and uncomment the line in

sudo nano /etc/pam.d/chsh

to look like

auth required pam_shells.so

Now let's add some color to the shell upon login

nano /home/brian/.bash_profile

Go ahead and find a nice little template to put in there, google is your friend

Then, make the command 'bash' still give us color

ln -s /home/brian/.bash_profile /home/brian/.bashrc

Configure the web files

Make a web group for people who should be able to edit the websites in /var/www

groupadd web

Add yourself to the group

sudo usermod -aG web brian

Change the owner of /var/www and set the setgid bit

sudo chown brian:web -R /var/www
sudo chmod g+s /var/www

Make sure the umask is set to 0002 for /var/www

cd /var/www
umask
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment