Table of Contents
Secure Ubuntu Server - Decisions to Make
IMPORTANT: Items in RED should be changed to meet your requirements.
Decide on settings for the Administrator
Each server should have a primary administrator. This person is ultimately responsible for the administration and maintenance of the server.
| Item | Details | Comments |
|---|---|---|
| Administrator Username | administrator | This is the user-name of the primary administrator. |
| Administrator Password | adminpass | This is the password of the primary administrator. It's best to use a combination of letters, numbers and other characters. |
| Administrator Group | admin | This is the group that all administrators will belong to. |
IMPORTANT: Do not use the username admin for the Administrator Username as it is a reserved name on Ubuntu.
Decide on settings for the Server
| Item | Details | Comments |
|---|---|---|
| Server Name | server1 | This is the name of the server. |
| Domain Name | sharewiz.net | This is the name of the network domain. |
| Hostname | server1.sharewiz.net | This is the host name. |
Decide on settings for the External Network (WAN), the one connected to the internet
| Item | Details | Comments |
|---|---|---|
| Interface | em1 | The name of the interface. eth0 is often the 1st interface. |
| IPv4 Address | 192.168.1.2 | The IPv4 address. |
| IP Subnet Mask | 255.255.255.0 | |
| Broadcast | 192.168.1.255 | |
| Network | 192.168.1.0 | |
| Gateway | 192.168.1.1 | The IPv4 address of the router. |
NOTE: The IP Address, Subnet Mask and Gateway will probably be provided by your ISP if you have a static IP Address.
If the IP address is returned by your router's DHCP server, then use those settings instead.
IPv6
If IPv6 is going to be used then the following additional settings will be needed:
| Item | Details | Comments |
|---|---|---|
| Interface | em1 | The name of the interface. eth0 is often the 1st interface. |
| IPv6 Address | 1234:f000:2001:000a:0000:0000:0000:0010/64 | The IPv6 address. |
| IPv6 Gateway | 1234:f000:2001:000a:0000:0000:0000:0001 | The IPv6 address of the router. |
Decide on settings for the Internal Network (LAN)
| Item | Details | Comments |
|---|---|---|
| Interface | em2 | The name of the interface. eth1 is often the 2nd interface. If the system only has one network interface, then an alias of the primary network interface could be used as the second interface in place of the real interface throughout this document unless specifically indicated otherwise. For example eth0:0. |
| IP Address | 192.168.0.2 | The IP address. |
| IP Subnet Mask | 255.255.255.0 | |
| Broadcast | 192.168.0.255 | |
| Network | 192.168.0.0 |
NOTE: Do not include a Gateway option onto the internal interface.
With it in there, and being the 2nd default gateway that gets configured, it will likely replace or override the 1st gateway on eth0 when the system is initialized, and that path won't work through the router.
Decide on the External NameServers (WAN), the ones connected to the internet
Multiple DNS servers are recommended to support if one goes down.
[todo: add in a description of what a nameserver is]
| Item | Details | Comments |
|---|---|---|
| External DNS Server 1 | 8.8.8.8 | |
| External DNS Server 2 | 8.8.4.4 |
NOTE: 8.8.8.8 and 8.8.4.4 are Google's DNS servers.
If you wish to use your ISP's DNS servers, use them here instead of Google's servers.
208.67.222.222 and 208.67.220.220 could also be used. They are the OpenDNS' DNS servers.
IPv6
If using IPv6 then additional IPv6 DNS servers will be needed:
| Item | Details | Comments |
|---|---|---|
| External IPv6 DNS Server 1 | 2001:4860:4860::8844 | |
| External IPv6 DNS Server 2 | 2001:4860:4860::8888 |
NOTE: 2001:4860:4860::8844 and 2001:4860:4860::8844 are Google's public IPv6 DNS servers.
Decide on the Internal NameServers (LAN), the ones connected to the internal network
Multiple DNS servers are recommended to support if one goes down.
| Item | Details | Comments |
|---|---|---|
| Internal DNS Server 1 | 192.168.1.201 | |
| Internal DNS Server 2 | 192.168.1.202 |
Decide on the following Optional settings
These settings are only required if specific applications are installed.
| Item | Details | Comments |
|---|---|---|
| Admin Email Address | admin@sharewiz.net | Email address of the System Administrator. |
| MySQL Root Password | mysqlrootpass | If using MySQL or Maria SQL. |
| HTTP Proxy Server | http://192.168.5.6:3128 | If a proxy server is used for HTTP. |
Decide on the Hard Drive partitions
Use a design that allows for dynamic growth and fine-tuning.
This prevents volumes becoming completely full, which is a definite no!
The Logical Volume Manager (LVM) is used, which lets you add disks, replace disks, copy and share contents from one disk to another without disrupting service (hot swapping).
The following volume will remain outside the LVM:
| Volume | FileSystem | Size | Comments |
|---|---|---|---|
| /boot | /boot | 1 GB | boot volume - This will remain static in size. It is also the only space residing outside the Logical Volume Manager (LVM). |
NOTE: Recent versions of Linux and Ubuntu do support having the /boot volume within the LVM.
The following volumes will be within the LVM.
| Volume | FileSystem | Volume Size | Comments |
|---|---|---|---|
| /dev/vg01/root | / | 2 GB | root volume - Operating system and everything else which should remain fairly static. |
| /dev/vg01/usr | /usr | 2 GB | usr volume - Contains by far the largest share of data in the system. |
| /dev/vg01/var | /var | 2 GB | var volume - This is the app/database/log storage area and will continue to grow over time. |
| /dev/vg01/tmp | /tmp | 2 GB | tmp volume - This location will be used for temporary storage. Adjust size as required. |
| /dev/vg01/srv | /srv | 0.5 GB | srv volume - This will contain the files stored in the Samba share. |
| /dev/vg01/opt | /opt | 0.5 GB | opt volume - This location is occasionally used for specific software. |
| /dev/vg01/home | /home | 0.5 GB | home volume - This is where personal user files will be stored. |
| /dev/vg01/backup | /backup | 4 GB | backup volume - This will contain a local backup of any databases and other important data, so space needs to be around double /var. |
| /dev/vg01/sharewiz | /sharewiz | 0.5 GB | sharewiz volume - This will contain scripts used to administer the system, and should remain fairly static. |
NOTE: Swap partitions are no longer used by default. Instead Swap files are used.
However if using a system that still uses Swap Partitions then also include an allocation for this too as such:
| Volume | FileSystem | Volume Size | Comments |
|---|---|---|---|
| /dev/vg01/swap | swap | 4 GB | swap volume – Initially set to 4GB. This should remain static in size, however, if the amount of RAM is adjusted, this should be adjusted as well. See note below on recommended swap space. |
NOTE: Even though the above sizes will fill most of a 20GB hard drive, it it recommended to still use the same sizes even if you have a far bigger drive. The system will be set to auto grow the necessary partitions as required.
The exception to this is for the /var partition, which could be made much bigger from the start if you know for instance that a large database will be installed into it.
If you do increase the size of the /var partition then remember to also increase the size of the /backup partition accordingly. See Disk Security for further information.
Recommended Swap Space
NOTE: Swap partitions are no longer used by default. Instead Swap files are used.
However if using a system that still uses Swap Partitions then consider the following recommendations.
Historically, swap space was set to twice the amount of memory. However that was against systems with very little memory. Today’s systems have a lot more memory, so new rules apply as to the amount of recommended swap to have.
| RAM in your Server | Recommended swap space | Recommended swap space if allowing for hibernation | Maximum swap space |
|---|---|---|---|
| 256MB or less | 256MB | 512MB | 512MB |
| 512MB | 512MB | 1024MB | 1024MB |
| 1024MB | 1024MB | 2048MB | 2048MB |
| 1GB | 1GB | 2GB | 2GB |
| 2GB | 1GB | 3GB | 4GB |
| 3GB | 2GB | 5GB | 6GB |
| 4GB | 2GB | 6GB | 8GB |
| 5GB | 2GB | 7GB | 10GB |
| 6GB | 2GB | 8GB | 12GB |
| 8GB | 3GB | 11GB | 16GB |
| 12GB | 3GB | 15GB | 24GB |
| 16GB | 4GB | 20GB | 32GB |
| 24GB | 5GB | 29GB | 40GB |
| 32GB | 6GB | 38GB | 64GB |
| 64GB | 8GB | 72GB | 128GB |
| 128GB or more | 11GB | 139GB | 256GB |
or to quickly get an idea of how much swap to use:
| Amount of RAM in the system | Recommended swap space | Recommended swap space if allowing for hibernating |
|---|---|---|
| 2GB of RAM or less | 2 times the amount of RAM | 3 times the amount of RAM |
| 2GB to 8GB of RAM | Equal to the amount of RAM | 2 times the amount of RAM |
| 8GB to 64GB of RAM | 0.5 times the amount of RAM | 1.5 times the amount of RAM |
| 64GB of RAM or more | 4GB of swap space | No extra space needed |
NOTE: When the logical volumes and file systems are initially created, they consume the maximum amount of space allocated so that the file system size will initially equal the logical volume size.
These partition sizes above are artificially small for that reason.
These will be later modified so that the logical volume will be larger than the file system so that the file system has room to expand when needed in a safe and automated manner.
Important info
The /tmp folder is strictly temporary. By default, each time the server reboots, this folder is deleted and re-created.
The /backup folder will retain the most recent backup and is considered the “local” copy of the backup.
Continue
Continue to Install the Base Ubuntu System