Ubuntu 22.04 Setup
Here is the process I use to help setup and secure my Ubuntu servers. Security must strike a balance with usability/convinience. Different situations require different security postures and measures, and you must decide what that balance is and the level of security you want/need for your given situation. I have found the following set up which accomplishes my security needs hosting at home.
This process also installs certain packages which I find useful and regularly use.
Warning
NEVER login to a server as root for regular operations. You should ALWAYS log in as a user with sudo privilidges and use sudoto execute administrator tasks.
Note
This assumes Ubuntu Mininal has been installed and that Open SSH has been installed during the initial OS installation process.
Installation
Installation is really straightforward and there is no need for me to cover it here. But there are a few things to note when running the installation:
-
I run all instances in a Proxmox VM. The system resources will vary based on what I have available and what the system being run on it will require.
-
Most of the prompts during installation are pretty straight forward and obvious.
-
During the "Chose the type of installation" prompt, I use the "Ubuntu Server (minimized) option. This will generally keep the installation as small as possible and I can install only what is needed.
-
In the "Network configuration" I always set a static IP address. I will also set a DHCP reservation in my firewall (pfSense) to prevent the address from being used if I goof something at some point and expand the DHCP range. Finally, I will add a static DNS entry to Adguard so it can easily be found by other devices on my network.
-
One option that isn't obvious is the checkbox "Set up this disk as an LVM group" during the "Guided sotrage configuration" prompt. I uncheck this option since I do not leverage any of the benefits of LVM.
- I run a Proxmox Backup Server so I do not use snapshots at all
- I have a virtual disk that can be resized at any point
- I do not need to combine multiple drives within Ubuntu.
- This pretty much eliminates the need for LVM within my environment. LVM can be more practical if Ubuntu is being installed on bare metal.
- Note that if this option is checked, Ubuntu will reserve half of the available space for snapshots and such, so it will not be directly usable by the operating system itself as storage.
-
I will always select the option to "Install OpenSSH server" as this is the default method of managing a CLI only Linux distro.
Run Updates
Once the installation is complete, it is an great idea to make sure eveything is up to date.
You can save this command for later as it can be very useful to update the server in the future.
Update
This command updates the local package index with the latest information about packages available from Ubuntu and any added repositories.
Dist-Upgrade
Performs the actual updates, comparing the currently installed versions to the local repository of available packages that was updated by the #!update command. If a newer version of a program exists, it will download and install the newer version.
dist-upgrade is more aggressive than using upgrade. It will install and remove dependencies for packages to always allow for a full upgrade while upgrade will not.
Autoremove
Removes any packages that were installed as dependencies for other programs and are no longer needed.
Autoclean
Cleans the local package cache of packages that are no longer available from the repositories.
Set Timezone
Use the timezone applicable to your location. You can look up the correct timezone here.
Automatic Updates
Automatic updates will automatically download and install security based updates for your system. This will not perform updates for the operating system and packages.
Install unattended-upgrades:
Enable unattended-upgrades:
Install Cron
Cron is a job scheduler that will perform tasks at a given time or interval.
Install Nano
Nano is a basic command line text editor that I prefer to use.
Install Net-Tools
Packge that contains tools for obtaining network information or diagnosing. This includes arp, hostname, ifconfig, netstat, rarp, and route.
Configure NTP
Install chrony:
I am running an NTP server on my pfSense firewall, so I redirect NTP requests by adding it to the chrony config.
Locate the section listing NTP servers. It should look like this:
pool ntp.ubuntu.com iburst maxsources 4
pool 0.ubuntu.pool.ntp.org iburst maxsources 1
pool 1.ubuntu.pool.ntp.org iburst maxsources 1
pool 2.ubuntu.pool.ntp.org iburst maxsources 2
Comment out the default sources and add the local NTP server:
server 192.168.0.1 iburst
#pool ntp.ubuntu.com iburst maxsources 4
#pool 0.ubuntu.pool.ntp.org iburst maxsources 1
#pool 1.ubuntu.pool.ntp.org iburst maxsources 1
#pool 2.ubuntu.pool.ntp.org iburst maxsources 2
Reload the chrony sources:
Enable NTP:Check to see if it is working:
SSH Keys
Create SSH Keys
Create a SSH key pair for your computer. I prefer to have one keypair for each workstation and share the keys with all of my servers. Your security requirements may require a different approach. This needs to be done once on each computer that will ssh into any server unless you wish to have a seperate key pair for each server.
Create a key pair from each computer you wish to ssh into the server with:
-
it is highly recommended to set a password for every key pair
-
if a key password is used, it will prompt for the password when first using it then cache it for the remainder of the session
-
you will still need to know the sudo password of the account on the server when calling sudo commands
-
save the keypair into your ~/.ssh/ directory if on Linux
-
I name the keypair after the local computer name for easy identification
e.g. ~/.ssh/compy486_key
Copy SSH Keys to Server
Copy the keypair from each computer you have generated a keypair for to the server:
Testing
Test to see if you can SSH without using a password from each computer:
Harden SSH
Edit the SSH server configuration file:
- change Port to another port number (I use 1138)
- change AddressFamily to inet
- change ListenAddress to the ip address of the server
- change LoginGraceTime to 60s or less
- change PermitRootLogin to no
- change MaxAuthTries to 3
- change PubkeyAuthentication to yes
- change HostbasedAuthentication to yes
- change PasswordAuthentication to no MAKE SURE YOUR KEYS ABOVE WORK FIRST
- change PermitEmptyPasswords to no
- add "Protocol" 2 to the end of the document
QEMU Guest Agent for Proxmox
This is a guest agent that allows the VM to communicate information to the Proxmox host.
Install the guest agent:
Enable it so that it starts when the OS starts:
Start the service:
Check the status of the agent:
SNMP for LibreNMS
I have a LibreNMS server configured and as such, want to send SNMP data to it.
Install SNMP:
Edit the SNMP configuration:
Edit lines as follows:
- sysLocation [Name of location]
- sysContact Name email@address.com
- agentaddress udp:[server_ip_address]:161
- rocommunity [supersecret_snmp_string]
- comment out rocommunity6
RSYSLOG
RSYSLOG is a service that will send system logs to a remote server, allowing a centralized collection point for logging. In this case, I have a LibreNMS server that will also collect the logs.
Install rsyslog:
Create config file addendum:
Add the following to the file:
This will send all logs via TCP to the address of my LibreNMS server on port 514.
Reboot
This will reboot the system immediately.
Connecting After Reboot
Since the SSH port has been reconfigured, this will need to be specified when SSHing into the server:
For example: