Wiki

User Tools

Site Tools

Trace: using_incron install_sabnzbd using_iwatch install_netdata update_blocking_lists configure_pfblockerng
secure_ubuntu_system:initial_configuration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
secure_ubuntu_system:initial_configuration [2016/12/07 15:17] – [Improve performance] petersecure_ubuntu_system:initial_configuration [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 22: Line 22:
 Go ahead and type **yes**, and then enter the password of the administrator, <color red>adminpass</color>. Go ahead and type **yes**, and then enter the password of the administrator, <color red>adminpass</color>.
  
 +----
  
 ===== Get root privileges (Optional) ===== ===== Get root privileges (Optional) =====
Line 58: Line 59:
 </code> </code>
 </WRAP> </WRAP>
 +
 +----
  
 ===== Update APT Sources ===== ===== Update APT Sources =====
Line 131: Line 134:
 </file> </file>
  
 +<WRAP info>
 **NOTE**:  The Ubuntu version and name may differ in the file, depending on what version of Ubuntu is being used. **NOTE**:  The Ubuntu version and name may differ in the file, depending on what version of Ubuntu is being used.
 +</WRAP>
 +
  
 Save the file, then issue the following command: Save the file, then issue the following command:
Line 162: Line 168:
   * http://wiki.debian.org/Aptitude    * http://wiki.debian.org/Aptitude 
 </WRAP> </WRAP>
 +
 +----
  
 ===== Enable Automatic Security Updates (optional) ===== ===== Enable Automatic Security Updates (optional) =====
Line 186: Line 194:
 </file> </file>
  
 +----
  
 ==== Customize automatic updates ==== ==== Customize automatic updates ====
Line 209: Line 218:
 </file> </file>
  
 +----
  
 ==== Reference ==== ==== Reference ====
Line 215: Line 225:
  
  
 +----
  
 ===== Upgrading Ubuntu Server to latest LTS version (optional) ===== ===== Upgrading Ubuntu Server to latest LTS version (optional) =====
Line 228: Line 239:
 This is a good option.  The important thing is knowing for certain that you can restore/recreate the server in case the upgraded server is not left in a bootable, usable condition. This is a good option.  The important thing is knowing for certain that you can restore/recreate the server in case the upgraded server is not left in a bootable, usable condition.
  
 +----
  
 ==== Install the Upgrade Manager ==== ==== Install the Upgrade Manager ====
Line 235: Line 247:
 </code> </code>
  
 +----
  
 ==== Double-check Configuration File ==== ==== Double-check Configuration File ====
Line 256: Line 269:
 </file> </file>
  
 +----
  
 ==== Run the Upgrade Manager ==== ==== Run the Upgrade Manager ====
Line 285: Line 299:
  
  
 +----
  
 ===== Update VIM ===== ===== Update VIM =====
Line 298: Line 312:
    
 To update to the full vim package, install **vim-nox**. Of course, different text editor such as joe or nano can be installed as well.  To update to the full vim package, install **vim-nox**. Of course, different text editor such as joe or nano can be installed as well. 
 +
 +----
  
  
Line 318: Line 334:
 </code> </code>
  
 +----
  
 ==== Create and Enable the Swap File ==== ==== Create and Enable the Swap File ====
Line 363: Line 380:
 |count=512k|Copy only 524288 BLOCKS input blocks.  This is the size of the swap file.| |count=512k|Copy only 524288 BLOCKS input blocks.  This is the size of the swap file.|
  
 +----
  
 ==== Prepare the swap file by creating a Linux swap area ==== ==== Prepare the swap file by creating a Linux swap area ====
Line 376: Line 394:
 no label, UUID=265d3e61-6e2b-4126-baba-6e6185e97b46 no label, UUID=265d3e61-6e2b-4126-baba-6e6185e97b46
 </code> </code>
 +
 +----
  
 ==== Activate the swap file ==== ==== Activate the swap file ====
Line 427: Line 447:
 |100|The kernel will swap aggressively.| |100|The kernel will swap aggressively.|
 </WRAP> </WRAP>
 +
 +----
  
 ==== Secure SWAP ==== ==== Secure SWAP ====
Line 440: Line 462:
  
  
 +----
  
 ===== Change the Default Shell ===== ===== Change the Default Shell =====
Line 457: Line 479:
  
  
 +----
  
 ===== Synchronize the System Clock ===== ===== Synchronize the System Clock =====
Line 503: Line 525:
  
 <code> <code>
-root@server1:~# sudo ntpq -p 
      remote           refid      st t when poll reach   delay   offset  jitter      remote           refid      st t when poll reach   delay   offset  jitter
 ============================================================================== ==============================================================================
Line 511: Line 532:
  i4DF67E84.pool. .PPSb.           1 u   38   64    3   37.265   16.166  91.399  i4DF67E84.pool. .PPSb.           1 u   38   64    3   37.265   16.166  91.399
  europium.canoni 131.188.3.220    2 u   39   64    3   15.170   14.873   4.720  europium.canoni 131.188.3.220    2 u   39   64    3   15.170   14.873   4.720
-root@server1:~# 
 </code> </code>
  
-Ubuntu offers two ways of updating the time, i.e. **ntpdate** and **ntpd**.  ntpdate is a bit of a blunt instrument - it adjusts the time in one big correction.  The ntp daemon ntpd is far more subtle.  It calculates the drift of your system clock and continuously adjusts it, so there are no large corrections that could lead to inconsistent logs for instance.  The cost of using ntpd against ntpdate is a little processing power and memory, but for a modern server this is negligible, however ntpd runs as a service.+<WRAP important> 
 +**ALERT**:  Ubuntu offers two ways of updating the time, i.e. **ntpdate** and **ntpd**.  ntpdate is a bit of a blunt instrument - it adjusts the time in one big correction.  The ntp daemon ntpd is far more subtle.  It calculates the drift of your system clock and continuously adjusts it, so there are no large corrections that could lead to inconsistent logs for instance.  The cost of using ntpd against ntpdate is a little processing power and memory, but for a modern server this is negligible, however ntpd runs as a //service//.
  
 +<WRAP caution>
 Note that for PCI-DSS compliance, we should not be running NTP as a service, unless this specific server is going to be used as a NTP server.  The reason being that PCI-DSS stipulates that each server in the network should only run a single external service, and as NTP could be classified as a service, this same server could not then be used for any other service, such as MySql. Note that for PCI-DSS compliance, we should not be running NTP as a service, unless this specific server is going to be used as a NTP server.  The reason being that PCI-DSS stipulates that each server in the network should only run a single external service, and as NTP could be classified as a service, this same server could not then be used for any other service, such as MySql.
 +</WRAP>
  
-If we dont want this to run as a service, we should only use ntpdate.+If we don't want this to run as a service, we should only use ntpdate.
  
 Issue the following commands in this case: Issue the following commands in this case:
Line 578: Line 601:
  
 **ntpdate-debian** does not need a parameter and uses the time-servers recorded within the /etc/default/ntpdate file. **ntpdate-debian** does not need a parameter and uses the time-servers recorded within the /etc/default/ntpdate file.
 +</WRAP>
  
 +----
  
 ==== Update crontab times ==== ==== Update crontab times ====
Line 620: Line 644:
 This also helps with log rotation, in that new daily logs are started at the beginning of each day instead of at 6am. This also helps with log rotation, in that new daily logs are started at the beginning of each day instead of at 6am.
  
-**NOTE**:  Slight differences between the minutes of each individual cron job could ensure that jobs run by different parts of cron don’t conflict. +<WRAP info> 
 +**NOTE**:  Slight differences between the minutes of each individual cron job could ensure that jobs run by different parts of cron don’t conflict. 
 +</WRAP> 
 + 
  
 +----
  
 ====== Add Global Aliases ====== ====== Add Global Aliases ======
Line 629: Line 657:
 Global Aliases would normally be added to the **/etc/profile** file, but it’s cleaner to have a separate file for the aliases. Global Aliases would normally be added to the **/etc/profile** file, but it’s cleaner to have a separate file for the aliases.
  
 +<WRAP info>
 **NOTE**:  A user can overwrite the global aliases if needed by defining their own aliases within their .bashrc,  .bash_aliases,  or .profile files within their own home directories. **NOTE**:  A user can overwrite the global aliases if needed by defining their own aliases within their .bashrc,  .bash_aliases,  or .profile files within their own home directories.
 +</WRAP>
 +
  
 To see what aliases are currently defined use the **alias** command.  To disable an alias in your current shell, use **unalias** name.  An alias can be temporarily disabled in the current command by prefixing the alias name with a \.  For example: \ls. To see what aliases are currently defined use the **alias** command.  To disable an alias in your current shell, use **unalias** name.  An alias can be temporarily disabled in the current command by prefixing the alias name with a \.  For example: \ls.
Line 641: Line 672:
 and add the following to the file: and add the following to the file:
  
 +<file bash /etc/profile.d/bash_aliases.sh>
 # Instruct bash to expand the arguments to aliases. # Instruct bash to expand the arguments to aliases.
- 
-<file bash /etc/profile.d/bash_aliases.sh> 
 shopt -s expand_aliases shopt -s expand_aliases
  
Line 884: Line 914:
 </code> </code>
  
 +----
  
 ===== Add Global Functions ===== ===== Add Global Functions =====
Line 893: Line 924:
 Global Functions would normally be added to the **/etc/profile** file, but it’s cleaner to have a separate file for the functions. Global Functions would normally be added to the **/etc/profile** file, but it’s cleaner to have a separate file for the functions.
  
 +<WRAP info>
 **NOTE**:  A user can overwrite the global functions if needed by define their own functions within their .bashrc,  .bash_aliases,  or .profile files within their own home directories. **NOTE**:  A user can overwrite the global functions if needed by define their own functions within their .bashrc,  .bash_aliases,  or .profile files within their own home directories.
 +</WRAP>
 +
  
 Issue the following command: Issue the following command:
Line 1588: Line 1622:
  
  
 +
 +----
  
 ===== Allow colour prompts for the administrator (highly recommended) ===== ===== Allow colour prompts for the administrator (highly recommended) =====
Line 1605: Line 1641:
 This functionality is not required, but does makes it a lot easier to see what’s going on, so recommended. This functionality is not required, but does makes it a lot easier to see what’s going on, so recommended.
  
 +----
  
 ===== Restart the System ===== ===== Restart the System =====
Line 1616: Line 1653:
 ...and log back in using a SSH client, such as Putty. ...and log back in using a SSH client, such as Putty.
  
 +----
  
 ===== Login using a SSH Client ===== ===== Login using a SSH Client =====
Line 1633: Line 1671:
 Go ahead and type **yes**, and then enter the password of the administrator, <color red>adminpass</color>. Go ahead and type **yes**, and then enter the password of the administrator, <color red>adminpass</color>.
  
 +----
  
 +===== Continue =====
  
 +Continue to [[Secure Ubuntu System:Base Security]]
  
secure_ubuntu_system/initial_configuration.1481123864.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki