Trace: initial_server_setup

BASIC SETUP

1. Document machine info

Go to the specific page for the machine (create it from the new machine template if it doesn't exist) and edit the machine name (as defined during initial OS install), IP address (even if it will be changed later) and - in parentheses - “(DHCP/Static)”. Also document the admin username/password and the OS and version. For each step that follows, add it to the documentation.

All of the above helps to ensure that a) if something goes amiss later, you won’t have to totally reinstall the OS to recover and b) if the question arises “was _ done?” there won’t be any doubts.

2. Login to server and run system updates 

      ssh root@[server_ip]
      apt update && apt upgrade -y

4.1. Give server a static IP address (Armbian) 

      armbian-config
      Select “Network” then “IP”
      Find line for Ethernet adapter - should be “eth0” or start with “en” - press Enter
      Select “Static”

On next dialog, change IP address to desired IP Edit Netmask, Gateway 

      Update documentation with new static IP

4.2. Give server a static IP address (Debian)

From terminal window (Ctrl+Alt+T): 

      sudo hostname [new hostname]
      exit

Reestablish SSH connection: 

      ssh root@[ip_address]

3.1. Change server hostname (Armbian) 

      armbian-config
      select Personal
      select Hostname
      enter new hostname
      exit armbian-config
      logout (and back in)

3.2. Change server hostname (Debian)

From terminal window (Ctrl+Alt+T): 

      sudo hostname [new hostname]
      exit

Reestablish SSH connection: 

      ssh root@[ip_address]

5. Enable automatic updates apt install -y unattended-upgrades dpkg-reconfigure –priority=low unattended-upgrades [yes] 6. Install micro (text editor) apt install -y micro 7. Create limited user and give sudo privileges 

  adduser [username]
  usermod -aG sudo [username]

You should, at this point, switch to the user account you just created… 

  su [username]

8. Change SSH port & disable IPv6 

  ssh [username]@[server_ip]
  sudo micro /etc/ssh/sshd_config
  Uncomment the line that says “Port 22” and change 22 to a random 4 digit port number. Document it.
  Uncomment “AddressFamily” line and change “any” to “inet” (disables IPv6)
  save and exit
  sudo systemctl restart sshd

9. Download and setup .aliases 

  wget github.com/don-ferris/bash-aliases/raw/main/.aliases
  echo 'source ~/.aliases' >> ~/.bashrc && cat ~/.bashrc
  source ~/.bashrc && alias
  Review aliases

SECURE SSH 1. Create public/private key pair 

  mkdir ~/.ssh && chmod 700 ~/.ssh
  logout
  ssh-keygen -b 4096

(Enter to accept default location; skip passphrase) 

  cd ~/.ssh && ssh-copy-id $USER@[server_ip] -p [new ssh port]

2. Disable root login (Hackers can try forever to brute force a root login and they’ll FAIL every time) 

  sudo micro /etc/passwd
  Find and go to root user line (should be the first line) and change “/bin/bash” (at end of line) to “/bin/no login”
  save and exit
  sudo micro /etc/ssh/sshd_config
  Find “PermitRootLogin” line and change “yes” to “no”

Technically, we’ve already covered this by changing root’s shell to /bin/nologin but we’re going to do this anyway - because why not?! Note that while we have now disabled root login, it doesn’t affect our ability to switch to and use the root account once we’re logged in via SSH. 

  Uncomment the lines "MaxAuthTries" and "MaxSessions"

3. Disable password logins (RSA keys only) 

  Find “PasswordAuthentication” line, uncomment it, and change “yes” to “no”
  Save and exit
  sudo systemctl restart sshd
  Test before logging out - verify that everything works properly by opening a new terminal window (on the workstation) and try logging into the server - ssh [username]@[server_ip] -p [port] If there are problems, troubleshoot and fix while you’re still logged in (in the other terminal window).

4. Fail2ban - Lockout IPs after multiple failed connection attempts 

  sudo apt install -y fail2ban
  sudo bash -c 'echo "ignoreip = 10.10.10.x" > /etc/fail2ban/jail.d/00-sshd.conf'
  sudo bash -c 'echo "port = [custom SSH port]" >> /etc/fail2ban/jail.d/00-sshd.conf'
  sudo bash -c 'echo "findtime = 1m" >> /etc/fail2ban/jail.d/00-sshd.conf'
  sudo bash -c 'echo "maxretry = 5" >> /etc/fail2ban/jail.d/00-sshd.conf'
  sudo bash -c 'echo "bantime = 10m" >> /etc/fail2ban/jail.d/00-sshd.conf'
  systemctl enable fail2ban  (authenticate 4 times)
  sudo systemctl start fail2ban
  systemctl status fail2ban

Check jail status (any time)… 

  sudo fail2ban-client status sshd

CHECK PORTS & ENABLE/CONFIGURE FIREWALL 1. Review open ports 

  sudo ss -tulpn

Look over the listed ports. You’ll see 0.0.0.0:[custom SSH port #] (the one you setup above). Google for information on any open ports that you don’t recognize. 2. Install and enable UFW firewall 

  sudo apt install -y ufw
  Open port for SSH logins: sudo ufw allow [custom SSH port #]
  sudo ufw enable
  sudo ufw status  (review output)

Switch to a different/new terminal window and confirm ability to login 3. Disable ping 

  sudo bash -c 'echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf'
  sudo bash -c 'echo "net.ipv6.icmp.echo_ignore_all=1" >> /etc/sysctl.conf'

apply the changes: 

  sudo sysctl -p
  test by trying to ping from your workstation

INSTALL DOCKER AND DOCKER-COMPOSE (Also installs Python3) 

  sudo apt install -y docker.io && sudo docker version
  sudo apt install -y docker-compose && sudo docker-compose version
  Update AppArmor

sudo apt install -y apparmor 

  Run system update

sudo apt update && sudo apt upgrade -y 

  Run Docker commands without sudo
      sudo groupadd docker
      sudo usermod -aG docker $USER

Relogin 

      sudo su $USER

6. Test Docker (and no-sudo) docker run hello-world

/var/www/html/data/pages/initial_server_setup.txt · Last modified: 2023/10/23 18:14
CC Attribution-Share Alike 4.0 International Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International