Ubuntu Server
Note
This assumes Ubuntu Mininal has been installed and that Open SSH has been installed during the initial OS installation process.
Installation
Installation is really straightforward and there is no need for me to cover it here. But there are a few things to note when running the installation:
-
During the "Chose the type of installation" prompt, I use the "Ubuntu Server (minimized) option. This will generally keep the installation as small as possible and I can install only what is needed.
-
In the "Network configuration" I always set a static IP address. I will also set a DHCP reservation in my firewall (pfSense) to prevent the address from being used.
-
Uncheck "Set up this disk as an LVM group" during the "Guided storage configuration" prompt. I uncheck this option since I do not leverage any of the benefits of LVM.
-
I always select the option to "Install OpenSSH server".
Run Updates
Set Timezone
You can look up the correct timezone here.
Install Cron
Cron is a job scheduler that will perform tasks at a given time or interval.
Install Nano
Nano is a basic command line text editor that I prefer to use.
Install Net-Tools
Packge that contains tools for obtaining network information or diagnosing. This includes arp, hostname, ifconfig, netstat, rarp, and route.
Configure NTP
Install chrony:
I am running an NTP server on my pfSense firewall, so I redirect NTP requests by adding it to the chrony config.
Locate the section listing NTP servers. It should look like this:
pool ntp.ubuntu.com iburst maxsources 4
pool 0.ubuntu.pool.ntp.org iburst maxsources 1
pool 1.ubuntu.pool.ntp.org iburst maxsources 1
pool 2.ubuntu.pool.ntp.org iburst maxsources 2
Comment out the default sources and add the local NTP server:
server 192.168.0.1 iburst
#pool ntp.ubuntu.com iburst maxsources 4
#pool 0.ubuntu.pool.ntp.org iburst maxsources 1
#pool 1.ubuntu.pool.ntp.org iburst maxsources 1
#pool 2.ubuntu.pool.ntp.org iburst maxsources 2
Reload the chrony sources:
Enable NTP:Check to see if it is working:
SSH Keys
Create SSH Keys
Create a SSH key pair for your computer. I have a single administration workstation (VM) that I use to ssh into all of my servers from.
Create a key pair from each computer you wish to ssh into the server with:
-
it is highly recommended to set a password for every key pair
-
if a key password is used, it will prompt for the password when first using it then cache it for the remainder of the session
-
you will still need to know the sudo password of the account on the server when calling sudo commands
-
save the keypair into your ~/.ssh/ directory if on Linux
-
I name the keypair after the local computer name for easy identification
e.g. ~/.ssh/compy486_key
Copy SSH Keys to Server
Copy the keypair from each computer you have generated a keypair for to the server:
Testing
Test to see if you can SSH without using a password from each computer:
Harden SSH
Edit the SSH server configuration file:
- change AddressFamily to inet
- change ListenAddress to the ip address of the server
- change LoginGraceTime to 60s or less
- change PermitRootLogin to no
- change MaxAuthTries to 3
- change PubkeyAuthentication to yes
- change HostbasedAuthentication to yes
- change PasswordAuthentication to no MAKE SURE YOUR KEYS ABOVE WORK FIRST
- change PermitEmptyPasswords to no
- add "Protocol" 2 to the end of the document
Note
In the event you need to generate new keys and send them to server, you will need to:
- change PasswordAuthentication back to yes
- restart the shh service
- use the ssh-copy-id
command to send the new keys
- change PasswordAuthentication back to yes
- restart the ssh service again
QEMU Guest Agent for Proxmox
This is a guest agent that allows the VM to communicate information to the Proxmox host.
Install the guest agent:
Enable it so that it starts when the OS starts:
Start the service:
Check the status of the agent:
SNMP for LibreNMS
I have a LibreNMS server configured and as such, want to send SNMP data to it.
Install SNMP:
Edit the SNMP configuration:
Edit lines as follows:
- sysLocation [Name of location]
- sysContact Name email@address.com
- agentaddress udp:[server_ip_address]:161
- rocommunity [supersecret_snmp_string]
- comment out rocommunity6
RSYSLOG
RSYSLOG is a service that will send system logs to a remote server, allowing a centralized collection point for logging. In this case, I use my LibreNMS server to also collect the logs.
Install rsyslog:
Create config file addendum:
Add the following to the file:
This will send all logs via TCP to the address of my LibreNMS server on port 514.
Reboot
This will reboot the system immediately.