Ubuntu Server

Warning

NEVER login to a server as root for regular operations. You should ALWAYS log in as a user with sudo privilidges and use sudo to execute administrator tasks.

Note

This assumes Ubuntu Mininal has been installed and that Open SSH has been installed during the initial OS installation process.

Installation

Installation is really straightforward and there is no need for me to cover it here. But there are a few things to note when running the installation:

1. During the "Chose the type of installation" prompt, I use the "Ubuntu Server (minimized) option. This will generally keep the installation as small as possible and I can install only what is needed.

2. In the "Network configuration" I always set a static IP address. I will also set a DHCP reservation in my firewall (pfSense) to prevent the address from being used.

3. Unchheck "Set up this disk as an LVM group" during the "Guided storage configuration" prompt. I uncheck this option since I do not leverage any of the benefits of LVM.

4. I will always select the option to "Install OpenSSH server".

Run Updates

sudo -- sh -c 'apt update; apt dist-upgrade -y; apt autoremove -y; apt autoclean -y'

Set Timezone

You can look up the correct timezone here.

sudo timedatectl set-timezone America/New_York

Automatic Updates

Automatic updates will automatically download and install security based updates for your system. This will not perform updates for the operating system and packages.

Install unattended-upgrades:

sudo apt install unattended-upgrades -y

Enable unattended-upgrades:

sudo dpkg-reconfigure --priority=low unattended-upgrades

Install Cron

Cron is a job scheduler that will perform tasks at a given time or interval.

sudo apt install cron -y

Install Nano

Nano is a basic command line text editor that I prefer to use.

sudo apt install nano -y

Install Net-Tools

Packge that contains tools for obtaining network information or diagnosing. This includes arp, hostname, ifconfig, netstat, rarp, and route.

sudo apt install net-tools -y

Configure NTP

Install chrony:

sudo apt install chrony -y

I am running an NTP server on my pfSense firewall, so I redirect NTP requests by adding it to the chrony config.

sudo nano /etc/chrony/chrony.conf

Locate the section listing NTP servers. It should look like this:

pool ntp.ubuntu.com        iburst maxsources 4
pool 0.ubuntu.pool.ntp.org iburst maxsources 1
pool 1.ubuntu.pool.ntp.org iburst maxsources 1
pool 2.ubuntu.pool.ntp.org iburst maxsources 2

Comment out the default sources and add the local NTP server:

server 192.168.0.1 iburst
#pool ntp.ubuntu.com        iburst maxsources 4
#pool 0.ubuntu.pool.ntp.org iburst maxsources 1
#pool 1.ubuntu.pool.ntp.org iburst maxsources 1
#pool 2.ubuntu.pool.ntp.org iburst maxsources 2

Reload the chrony sources:

sudo chronyc reload sources

Enable NTP:

sudo timedatectl set-ntp true

Check to see if it is working:

chronyc tracking

SSH Keys

Create SSH Keys

Create a SSH key pair for your computer. I prefer to have one keypair for each workstation and share the keys with all of my servers.

Create a key pair from each computer you wish to ssh into the server with:

ssh-keygen -t ed25519 -C "[local_computer_name]"

• it is highly recommended to set a password for every key pair

• if a key password is used, it will prompt for the password when first using it then cache it for the remainder of the session

• you will still need to know the sudo password of the account on the server when calling sudo commands

• save the keypair into your ~/.ssh/ directory if on Linux

• I name the keypair after the local computer name for easy identification
  e.g. ~/.ssh/compy486_key

Copy SSH Keys to Server

Copy the keypair from each computer you have generated a keypair for to the server:

ssh-copy-id -i ~/.ssh/computer_name_key.pub admin_user@server

Testing

Test to see if you can SSH without using a password from each computer:

ssh admin_user@server

Harden SSH

Edit the SSH server configuration file:

sudo nano /etc/ssh/sshd_config

• change Port to another port number (I use 1138)
• change AddressFamily to inet
• change ListenAddress to the ip address of the server
• change LoginGraceTime to 60s or less
• change PermitRootLogin to no
• change MaxAuthTries to 3
• change PubkeyAuthentication to yes
• change HostbasedAuthentication to yes
• change PasswordAuthentication to no MAKE SURE YOUR KEYS ABOVE WORK FIRST
• change PermitEmptyPasswords to no
• add "Protocol" 2 to the end of the document

QEMU Guest Agent for Proxmox

This is a guest agent that allows the VM to communicate information to the Proxmox host.

Install the guest agent:

sudo apt-get install qemu-guest-agent -y

Enable it so that it starts when the OS starts:

sudo systemctl enable qemu-guest-agent

Start the service:

sudo systemctl start qemu-guest-agent

Check the status of the agent:

sudo systemctl status qemu-guest-agent

SNMP for LibreNMS

I have a LibreNMS server configured and as such, want to send SNMP data to it.

Install SNMP:

sudo apt install snmpd -y

Edit the SNMP configuration:

sudo nano /etc/snmp/snmpd.conf

Edit lines as follows:

• sysLocation [Name of location]
• sysContact Name email@address.com
• agentaddress udp:[server_ip_address]:161
• rocommunity [supersecret_snmp_string]
• comment out rocommunity6

RSYSLOG

RSYSLOG is a service that will send system logs to a remote server, allowing a centralized collection point for logging. In this case, I have a LibreNMS server that will also collect the logs.

Install rsyslog:

sudo apt install rsyslog -y

Create config file addendum:

sudo nano /etc/rsyslog.d/10-remotelog.conf

Add the following to the file:

*.* action(type-"omfwd" target="192.168.0.33" port="514" protocol="tcp")

This will send all logs via TCP to the address of my LibreNMS server on port 514.

Reboot

This will reboot the system immediately.

sudo reboot now

Connecting After Reboot

Since the SSH port has been reconfigured, this will need to be specified when SSHing into the server:

ssh handyadmin@server -p 1138