Wiki

User Tools

Site Tools

Trace: using_incron install_sabnzbd using_iwatch install_netdata
secure_ubuntu_system:initial_configuration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
secure_ubuntu_system:initial_configuration [2016/12/07 12:28] – [Comments] petersecure_ubuntu_system:initial_configuration [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 22: Line 22:
 Go ahead and type **yes**, and then enter the password of the administrator, <color red>adminpass</color>. Go ahead and type **yes**, and then enter the password of the administrator, <color red>adminpass</color>.
  
 +----
  
 ===== Get root privileges (Optional) ===== ===== Get root privileges (Optional) =====
Line 58: Line 59:
 </code> </code>
 </WRAP> </WRAP>
 +
 +----
  
 ===== Update APT Sources ===== ===== Update APT Sources =====
Line 131: Line 134:
 </file> </file>
  
 +<WRAP info>
 **NOTE**:  The Ubuntu version and name may differ in the file, depending on what version of Ubuntu is being used. **NOTE**:  The Ubuntu version and name may differ in the file, depending on what version of Ubuntu is being used.
 +</WRAP>
 +
  
 Save the file, then issue the following command: Save the file, then issue the following command:
Line 162: Line 168:
   * http://wiki.debian.org/Aptitude    * http://wiki.debian.org/Aptitude 
 </WRAP> </WRAP>
 +
 +----
  
 ===== Enable Automatic Security Updates (optional) ===== ===== Enable Automatic Security Updates (optional) =====
Line 186: Line 194:
 </file> </file>
  
 +----
  
 ==== Customize automatic updates ==== ==== Customize automatic updates ====
Line 209: Line 218:
 </file> </file>
  
 +----
  
 ==== Reference ==== ==== Reference ====
Line 215: Line 225:
  
  
 +----
  
 ===== Upgrading Ubuntu Server to latest LTS version (optional) ===== ===== Upgrading Ubuntu Server to latest LTS version (optional) =====
Line 227: Line 238:
  
 This is a good option.  The important thing is knowing for certain that you can restore/recreate the server in case the upgraded server is not left in a bootable, usable condition. This is a good option.  The important thing is knowing for certain that you can restore/recreate the server in case the upgraded server is not left in a bootable, usable condition.
 +
 +----
  
 ==== Install the Upgrade Manager ==== ==== Install the Upgrade Manager ====
Line 234: Line 247:
 </code> </code>
  
 +----
  
 ==== Double-check Configuration File ==== ==== Double-check Configuration File ====
Line 255: Line 269:
 </file> </file>
  
 +----
  
 ==== Run the Upgrade Manager ==== ==== Run the Upgrade Manager ====
Line 275: Line 290:
   * MySQL - You may be prompted for a new MySQL root password at times.  Just press <color green>Enter</color> without entering a new password to keep the existing MySQL password.    * MySQL - You may be prompted for a new MySQL root password at times.  Just press <color green>Enter</color> without entering a new password to keep the existing MySQL password. 
   * phpMyAdmin - Adding a new line to phpMyAdmin's configuration file may be needed for the new phpMyAdmin version.    * phpMyAdmin - Adding a new line to phpMyAdmin's configuration file may be needed for the new phpMyAdmin version. 
-</WRAP> 
  
-==== Reference ====+=== Reference ===
  
   * Community documentation: https://help.ubuntu.com/community/PreciseUpgrades     * Community documentation: https://help.ubuntu.com/community/PreciseUpgrades  
 +
 +</WRAP>
  
  
  
 +----
  
 ===== Update VIM ===== ===== Update VIM =====
Line 295: Line 312:
    
 To update to the full vim package, install **vim-nox**. Of course, different text editor such as joe or nano can be installed as well.  To update to the full vim package, install **vim-nox**. Of course, different text editor such as joe or nano can be installed as well. 
 +
 +----
  
  
Line 315: Line 334:
 </code> </code>
  
 +----
  
 ==== Create and Enable the Swap File ==== ==== Create and Enable the Swap File ====
Line 358: Line 378:
 |of=/swapfile1|Write to storage file /swapfile1.| |of=/swapfile1|Write to storage file /swapfile1.|
 |bs=1024|Read and write 1024 BYTES bytes at a time.| |bs=1024|Read and write 1024 BYTES bytes at a time.|
-|count=512k|Copy only 524288 BLOCKS input blocks.|+|count=512k|Copy only 524288 BLOCKS input blocks.  This is the size of the swap file.|
  
 +----
  
 ==== Prepare the swap file by creating a Linux swap area ==== ==== Prepare the swap file by creating a Linux swap area ====
Line 373: Line 394:
 no label, UUID=265d3e61-6e2b-4126-baba-6e6185e97b46 no label, UUID=265d3e61-6e2b-4126-baba-6e6185e97b46
 </code> </code>
 +
 +----
  
 ==== Activate the swap file ==== ==== Activate the swap file ====
Line 407: Line 430:
 ==== Improve performance ==== ==== Improve performance ====
  
-Swappiness in the file should be set to 0.  Skipping this step may cause both poor performance, whereas setting it to 0 will cause swap to act as an emergency buffer, preventing out-of-memory crashes.  You can do this with the following commands: [todo: check what swappiness options are]+Swappiness in the file should be set to 0.  Skipping this step may cause both poor performance, whereas setting it to 0 will cause swap to act as an emergency buffer, preventing out-of-memory crashes.  You can do this with the following commands: 
  
 <code bash> <code bash>
Line 414: Line 437:
 </code> </code>
  
 +<WRAP info>
 +A low swappiness value causes the kernel to avoid swapping, a higher value causes the kernel to try to use swap space.  
 +
 +^Swappiness Value^Strategy^
 +|0|The kernel will swap only to avoid an [[https://en.wikipedia.org/wiki/Out_of_memory|out of memory]] condition, when free memory will be below vm.min_free_kbytes limit.  See the [[https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/sysctl/vm.txt|VM Sysctl documentation]].|
 +|1|Kernel version 3.5 and over, as well as Red Hat kernel version 2.6.32-303 and over: Minimum amount of swapping without disabling it entirely.|
 +|10|This value is sometimes recommended to improve performance when sufficient memory exists in a system.|
 +|60|The default value.|
 +|100|The kernel will swap aggressively.|
 +</WRAP>
 +
 +----
  
 ==== Secure SWAP ==== ==== Secure SWAP ====
Line 427: Line 462:
  
  
 +----
  
 ===== Change the Default Shell ===== ===== Change the Default Shell =====
Line 444: Line 479:
  
  
 +----
  
 ===== Synchronize the System Clock ===== ===== Synchronize the System Clock =====
Line 490: Line 525:
  
 <code> <code>
-root@server1:~# sudo ntpq -p 
      remote           refid      st t when poll reach   delay   offset  jitter      remote           refid      st t when poll reach   delay   offset  jitter
 ============================================================================== ==============================================================================
Line 498: Line 532:
  i4DF67E84.pool. .PPSb.           1 u   38   64    3   37.265   16.166  91.399  i4DF67E84.pool. .PPSb.           1 u   38   64    3   37.265   16.166  91.399
  europium.canoni 131.188.3.220    2 u   39   64    3   15.170   14.873   4.720  europium.canoni 131.188.3.220    2 u   39   64    3   15.170   14.873   4.720
-root@server1:~# 
 </code> </code>
  
-Ubuntu offers two ways of updating the time, i.e. **ntpdate** and **ntpd**.  ntpdate is a bit of a blunt instrument - it adjusts the time in one big correction.  The ntp daemon ntpd is far more subtle.  It calculates the drift of your system clock and continuously adjusts it, so there are no large corrections that could lead to inconsistent logs for instance.  The cost of using ntpd against ntpdate is a little processing power and memory, but for a modern server this is negligible, however ntpd runs as a service.+<WRAP important> 
 +**ALERT**:  Ubuntu offers two ways of updating the time, i.e. **ntpdate** and **ntpd**.  ntpdate is a bit of a blunt instrument - it adjusts the time in one big correction.  The ntp daemon ntpd is far more subtle.  It calculates the drift of your system clock and continuously adjusts it, so there are no large corrections that could lead to inconsistent logs for instance.  The cost of using ntpd against ntpdate is a little processing power and memory, but for a modern server this is negligible, however ntpd runs as a //service//.
  
 +<WRAP caution>
 Note that for PCI-DSS compliance, we should not be running NTP as a service, unless this specific server is going to be used as a NTP server.  The reason being that PCI-DSS stipulates that each server in the network should only run a single external service, and as NTP could be classified as a service, this same server could not then be used for any other service, such as MySql. Note that for PCI-DSS compliance, we should not be running NTP as a service, unless this specific server is going to be used as a NTP server.  The reason being that PCI-DSS stipulates that each server in the network should only run a single external service, and as NTP could be classified as a service, this same server could not then be used for any other service, such as MySql.
 +</WRAP>
  
-If we dont want this to run as a service, we should only use ntpdate.+If we don't want this to run as a service, we should only use ntpdate.
  
 Issue the following commands in this case: Issue the following commands in this case:
Line 565: Line 601:
  
 **ntpdate-debian** does not need a parameter and uses the time-servers recorded within the /etc/default/ntpdate file. **ntpdate-debian** does not need a parameter and uses the time-servers recorded within the /etc/default/ntpdate file.
 +</WRAP>
  
 +----
  
 ==== Update crontab times ==== ==== Update crontab times ====
Line 607: Line 644:
 This also helps with log rotation, in that new daily logs are started at the beginning of each day instead of at 6am. This also helps with log rotation, in that new daily logs are started at the beginning of each day instead of at 6am.
  
-**NOTE**:  Slight differences between the minutes of each individual cron job could ensure that jobs run by different parts of cron don’t conflict. +<WRAP info> 
 +**NOTE**:  Slight differences between the minutes of each individual cron job could ensure that jobs run by different parts of cron don’t conflict. 
 +</WRAP> 
 + 
  
 +----
  
 ====== Add Global Aliases ====== ====== Add Global Aliases ======
Line 616: Line 657:
 Global Aliases would normally be added to the **/etc/profile** file, but it’s cleaner to have a separate file for the aliases. Global Aliases would normally be added to the **/etc/profile** file, but it’s cleaner to have a separate file for the aliases.
  
 +<WRAP info>
 **NOTE**:  A user can overwrite the global aliases if needed by defining their own aliases within their .bashrc,  .bash_aliases,  or .profile files within their own home directories. **NOTE**:  A user can overwrite the global aliases if needed by defining their own aliases within their .bashrc,  .bash_aliases,  or .profile files within their own home directories.
 +</WRAP>
 +
  
 To see what aliases are currently defined use the **alias** command.  To disable an alias in your current shell, use **unalias** name.  An alias can be temporarily disabled in the current command by prefixing the alias name with a \.  For example: \ls. To see what aliases are currently defined use the **alias** command.  To disable an alias in your current shell, use **unalias** name.  An alias can be temporarily disabled in the current command by prefixing the alias name with a \.  For example: \ls.
Line 627: Line 671:
  
 and add the following to the file: and add the following to the file:
- 
-# Instruct bash to expand the arguments to aliases. 
  
 <file bash /etc/profile.d/bash_aliases.sh> <file bash /etc/profile.d/bash_aliases.sh>
 +# Instruct bash to expand the arguments to aliases.
 shopt -s expand_aliases shopt -s expand_aliases
  
Line 871: Line 914:
 </code> </code>
  
 +----
  
 ===== Add Global Functions ===== ===== Add Global Functions =====
Line 880: Line 924:
 Global Functions would normally be added to the **/etc/profile** file, but it’s cleaner to have a separate file for the functions. Global Functions would normally be added to the **/etc/profile** file, but it’s cleaner to have a separate file for the functions.
  
 +<WRAP info>
 **NOTE**:  A user can overwrite the global functions if needed by define their own functions within their .bashrc,  .bash_aliases,  or .profile files within their own home directories. **NOTE**:  A user can overwrite the global functions if needed by define their own functions within their .bashrc,  .bash_aliases,  or .profile files within their own home directories.
 +</WRAP>
 +
  
 Issue the following command: Issue the following command:
Line 1575: Line 1622:
  
  
 +
 +----
  
 ===== Allow colour prompts for the administrator (highly recommended) ===== ===== Allow colour prompts for the administrator (highly recommended) =====
Line 1592: Line 1641:
 This functionality is not required, but does makes it a lot easier to see what’s going on, so recommended. This functionality is not required, but does makes it a lot easier to see what’s going on, so recommended.
  
 +----
  
 ===== Restart the System ===== ===== Restart the System =====
Line 1603: Line 1653:
 ...and log back in using a SSH client, such as Putty. ...and log back in using a SSH client, such as Putty.
  
 +----
  
 ===== Login using a SSH Client ===== ===== Login using a SSH Client =====
Line 1620: Line 1671:
 Go ahead and type **yes**, and then enter the password of the administrator, <color red>adminpass</color>. Go ahead and type **yes**, and then enter the password of the administrator, <color red>adminpass</color>.
  
 +----
  
 +===== Continue =====
  
 +Continue to [[Secure Ubuntu System:Base Security]]
  
secure_ubuntu_system/initial_configuration.1481113699.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki