This document covers the basic steps any system admin should make after a fresh installation of a Linux server.
As a case example I use a Debian based system, but it is almost 100% relevant to any Linux and Un*x server.
If during installation we forcibly created a non-privileged user, we should remove it for more security:
# userdel -r USER
In general it is a good idea to change the default port for ssh connections (22) to another one. This will avoid automated attacks from bots.
Edit /etc/ssh/sshd_config and change "Port 22" to another one.
Also, we should add our public key to "/root/.ssh/authorized_keys" and change the configuration, again "sshd_config", with "PermitRootLogin without-password".
Use common commands to check what services are running and we don't need or should be only enabled locally.
# netstat -putan
# ps aux
# ls /etc/rc2.d
# apt-get remove --purge cups # for example, if we don't need cups at all
# update-rc.d -f remove cups # for example, if using traditional bootup; see next if using dependency-based boot or refer to systemd's manual
# cp /etc/init.d/cups /etc/insserv/overrides; vim /etc/insserv/overrides # edit runlevels to nothing; insserv --remove cups; insserv --default cups
At least a basic firewall is always a good idea to prevent unnecesary or malicious daemons opened to the net, specially if it is a public server. The first step is to make it persistent, so let's install a simple package that will take care of that:
# apt-get install iptables-persistent
Start adding some basic rules:
# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Keep established and related connections
# iptables -I INPUT 1 -i lo -j ACCEPT # Accept all traffic in loopback interface
# iptables -P INPUT DROP # Drop all input packets by default
If we need to allow the SSH port we opened before:
# iptables -A INPUT -p tcp --dport PORT_NUM -j ACCEPT
And finally store the rukes in "/etc/iptables/rules.v4" and "/etc/iptables/rules.v6":
# /etc/init.d/iptables-persistent save
Check "/etc/fstab" and edit ext3/ext4 filesystems options accordingly.
Recommended option for better performance reading files is "relatime" or "noatime".
After configuring your email server, you should might want to forward the emails sent to root. Edit "/etc/aliases" and add
In order to keep your system up-to-dated with security packages, it is a must to periodically upgrade or notify yourself about available updates. In Debian based systems we can use tools like "apticron".
In this example we will use "unattended-upgrades":
# apt-get install unattended-upgrades bsd-mailx
Tweak the configuration file as needed: "/etc/apt/apt.conf.d/50unattended-upgrades".
Tell the program to do automatic upgrades selecting Yes:
# dpkg-reconfigure -plow unattended-upgrades
This will create a file in "/etc/apt/apt.conf.d/02periodic". Mines looks like this:
// Enable the update/upgrade script (0=disable) APT::Periodic::Enable "1"; // Do "apt-get update" automatically every n-days (0=disable) APT::Periodic::Update-Package-Lists "1"; // Do "apt-get upgrade --download-only" every n-days (0=disable) APT::Periodic::Download-Upgradeable-Packages "1"; // Run the "unattended-upgrade" security upgrade script // every n-days (0=disabled) // Requires the package "unattended-upgrades" and will write // a log in /var/log/unattended-upgrades APT::Periodic::Unattended-Upgrade "1"; // Do "apt-get autoclean" every n-days (0=disable) APT::Periodic::AutocleanInterval "7";
Unattended upgrades will be run once per day from the cron job script "/etc/cron.daily/apt".
The script will log to the file "/var/log/unattended-upgrades/unattended-upgrades.log".
Install the "apticron" package:
# apt-get install apticron
Edit file "/etc/apticron/apticron.conf" and set "EMAILfirstname.lastname@example.org" or leave by default it will send them to root (or its forwarding alias).
If the machine is hosted in a virtualized disk (i.e. no direct disk or RAID access), this step should be skipped.
Make sure to have the smartmontools package installed and enabled as a boot service.
Check logs and see if all drives are being monitored and/or configure /etc/smartd.conf accordingly. Be sure to put all the device lines before any "DEVICESCAN" line (put them at the head of the file to be sure).
Run a first time long check issuing the following command for each disk:
# apt-get install smartmontools
# smartctl -a -t long /dev/DEVICE
You can check its progress executing:
# smartctl -a /dev/DEVICE.
Anyway, if the test fails, we should receive an e-mail notification if we have set up everything right.
Avoid using dash instead of bash: it can break a lot of scripts, specially third-party software installation ones.
# dpkg-reconfigure dash