Setting Up A Fresh Linux Server

  • Published: August 25, 2018

Overview

This is a checklist to have in mind all the tasks I find useful to do after installing GNU Linux (Ubuntu) in a computer.

What steps to take after installing a fresh Linux server, mainly oriented to a developer user.

Set Timezone

dpkg-reconfigure tzdata

Set editors

Default editor

export EDITOR=vim

Users

Create new user

Create a user with useradd with home folder (-m creates a home folder), and with bash as the default interpreter (-s sets john to use bash by default)

useradd -m -s /bin/bash john

Add user to admin group

Add john to the sudoers group.

usermod -a -G sudo john

Set new user password

Give new user a password.

passwd john

Switch to new user

Switch user to being john

su - john

Give admin permissions

#visudo
john    ALL=(ALL:ALL) ALL

SSH

SSH configuration

vi /etc/ssh/sshd_config

With data:

Port 4444
PermitRootLogin no
AllowUsers john

And restart SSH

systemctl restart sshd.service

Test that you can login from your local terminal before leaving the server

netstat -a|grep 43
ssh john@myserverip -p4444

SSH config

OpenSSH client config file to create shortcuts for accessing the server from another computer.

The place to save custom ports and hostname so you can access with “ssh foo” from client.

vi ~/.ssh/config

With data:

Host server1
     HostName server1.biz
     User john
     Port 4444

Now test login:

ssh server1

Copying the public key of your default identity to a remote host Public key should have been generated before with ssh-keygen Copy public key file to server

ssh-copy-id user@server1

In server

chmod 700 .ssh/authorized_keys

Enable firewall

If running ufw firewall, enable the above port

grep -i "port" /etc/ssh/sshd_config

And enable it in ufw

sudo ufw allow 4444

Fail2ban

Prevent SSH bruteforce attacks with Fail2ban

sudo apt-get update -y
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local

In [ssh] section, configure the port used by SSH daemon

[ssh]
enabled = true
port=4444
filter = sshd
maxretry = 6

Check if your SSH-jail is setup:

sudo fail2ban-client status
systemctl enable fail2ban
systemctl restart fail2ban

Now fail2ban rules will appear at sudo iptables -L

If it is not logging: http://serverfault.com/questions/597832/fail2ban-not-working-on-fresh-install-of-ubuntu-14-04-why

Firewall

Enable Uncomplicated FireWall UFW: https://help.ubuntu.com/community/UFW

Turn on

Turn firewall on with the default set of rules:

sudo ufw enable

And check the status:

sudo ufw status verbose

Allow and deny ports

sudo ufw allow / sudo ufw deny /

List profiles

sudo ufw app list

Web servers

nginx

Install

sudo apt install nginx

Add to firewall

List the profiles that ufw firewall has:

sudo ufw app list

So it shows three profiles for nginx:

  • Nginx Full: Opens both port 80 and 443 (TLS/SSL encrypted traffic)
  • Nginx HTTP: Opens only port 80
  • Nginx HTTPS: Opens only port 443 (TLS/SSL encrypted traffic)

then we choose one and allows it:

sudo ufw allow 'Nginx HTTP'

To check it has been added: ufw status

Use systemctl

Check nginx is running: systemctl status nginx.

Useful commands:

sudo systemctl stop nginx
sudo systemctl start nginx
sudo systemctl restart nginx
sudo systemctl reload nginx

Server Blocks

For each website you will want nginx to serve, you need to define a server block (in Apache this is known as Virtual Hosts).

Create the directory to hold the website:

sudo mkdir -p /var/www/example.com/html

Fix permissions to your user:

sudo chown -R $USER:$USER /var/www/example.com/html

And copy your website to /var/www/example.com/html.

New site

Create a new site at /etc/nginx/sites-available/example.com with the following content:

server {
        listen 80;
        listen [::]:80;

        root /var/www/example.com/html;
        index index.html index.htm index.nginx-debian.html;
		error_page 404 errors/404.html;

        server_name example.com www.example.com;

        location / {
                try_files $uri $uri/ =404;
        }
}

And enable it:

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Test configuration is ok:

sudo nginx -t

And load the new configuration

sudo systemctl reload nginx

Git

Setting up a git server

Git server https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server

Hostname & FQND

https://github.com/DigitalOcean-User-Projects/Articles-and-Tutorials/blob/master/set_hostname_fqdn_on_ubuntu_centos.md

Uruguay
Marcelo Canina
I'm Marcelo Canina, a developer from Uruguay. I build websites and web-based applications from the ground up and share what I learn here.
comments powered by Disqus
Except as otherwise noted, the content of this page is licensed under CC BY-NC-ND 4.0 ·