Soc ninja title

Deploying a server

Basic steps after installing a new Linux server

This document covers the basic steps any system admin should make after a fresh installation of a Linux server.

As a case example I use a Debian based system, but it is almost 100% relevant to any Linux and Un*x server.

Let's start!

Delete the user created during installation

If during installation we forcibly created a non-privileged user, we should remove it for more security:

# userdel -r USER

SSH server configuration

In general it is a good idea to change the default port for ssh connections (22) to another one. This will avoid automated attacks from bots.

Edit /etc/ssh/sshd_config and change "Port 22" to another one.

Also, we should add our public key to "/root/.ssh/authorized_keys" and change the configuration, again "sshd_config", with "PermitRootLogin without-password".

Remove or disable unnecessary services

Use common commands to check what services are running and we don't need or should be only enabled locally.

# netstat -putan
# ps aux
# ls /etc/rc2.d
# apt-get remove --purge cups # for example, if we don't need cups at all
# update-rc.d -f remove cups # for example, if using traditional bootup; see next if using dependency-based boot or refer to systemd's manual
# cp /etc/init.d/cups /etc/insserv/overrides; vim /etc/insserv/overrides # edit runlevels to nothing; insserv --remove cups; insserv --default cups

Firewall (netfilter/iptables)

At least a basic firewall is always a good idea to prevent unnecesary or malicious daemons opened to the net, specially if it is a public server. The first step is to make it persistent, so let's install a simple package that will take care of that:

# apt-get install iptables-persistent

Start adding some basic rules:

# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Keep established and related connections
# iptables -I INPUT 1 -i lo -j ACCEPT # Accept all traffic in loopback interface
# iptables -P INPUT DROP # Drop all input packets by default

If we need to allow the SSH port we opened before:

# iptables -A INPUT -p tcp --dport PORT_NUM -j ACCEPT

And finally store the rukes in "/etc/iptables/rules.v4" and "/etc/iptables/rules.v6":

# /etc/init.d/iptables-persistent save

Tune filesystem options

Check "/etc/fstab" and edit ext3/ext4 filesystems options accordingly.

Recommended option for better performance reading files is "relatime" or "noatime".

Configure alias for root mail

After configuring your email server, you should might want to forward the emails sent to root. Edit "/etc/aliases" and add

root: your_email@example.com

Then run:

# newaliases

Security updates

In order to keep your system up-to-dated with security packages, it is a must to periodically upgrade or notify yourself about available updates. In Debian based systems we can use tools like "apticron".

In this example we will use "unattended-upgrades":

# apt-get install unattended-upgrades bsd-mailx

Tweak the configuration file as needed: "/etc/apt/apt.conf.d/50unattended-upgrades".

Tell the program to do automatic upgrades selecting Yes:

# dpkg-reconfigure -plow unattended-upgrades

This will create a file in "/etc/apt/apt.conf.d/02periodic". Mines looks like this:

// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";

// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";

// Do "apt-get upgrade --download-only" every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";

// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";

// Do "apt-get autoclean" every n-days (0=disable)
APT::Periodic::AutocleanInterval "7";

Unattended upgrades will be run once per day from the cron job script "/etc/cron.daily/apt".
The script will log to the file "/var/log/unattended-upgrades/unattended-upgrades.log".

Optionally install apticron for notifications

Install the "apticron" package:

# apt-get install apticron

Edit file "/etc/apticron/apticron.conf" and set "EMAIL=your_email@example.com" or leave by default it will send them to root (or its forwarding alias).

SMARTCTL (only for physical disks)

If the machine is hosted in a virtualized disk (i.e. no direct disk or RAID access), this step should be skipped.

Make sure to have the smartmontools package installed and enabled as a boot service.

Check logs and see if all drives are being monitored and/or configure /etc/smartd.conf accordingly. Be sure to put all  the device lines before any "DEVICESCAN" line (put them at the head of the file to be sure).

Run a first time long check issuing the following command for each disk:

# apt-get install smartmontools
# smartctl -a -t long /dev/DEVICE


You can check its progress executing:

# smartctl -a /dev/DEVICE.

Anyway, if the test fails, we should receive an e-mail notification if we have set up everything right.

TIPS

Avoid using dash instead of bash: it can break a lot of scripts, specially third-party software installation ones.

# dpkg-reconfigure dash



If you found anything useful enough and you want to thank us for that, please consider donating to people who need it, like the NGO OXFAM. Thank you !


Comments

Comments are manually approved. Just be a bit patient :-)

There are currently no comments

New Comment

required

required (not published)

optional

Recent Tweets