This is a copy of the software, tools and configs that Techno Tim uses to secure his servers. This is a list of the commands used in order to make the setup easier. Prepare for some cutting and pasting.
Update
1
| sudo apt-get update && sudo apt-get upgrade -y
|
Reconfigure unattended-upgrades
1
| sudo dpkg-reconfigure --priority=low unattended-upgrades
|
Verify unattended upgrades configuration file in your text editor of choice
1
| /etc/apt/apt.conf.d/20auto-upgrades
|
To disable automatic reboots by the automatic upgrades configuration edit the following file:
1
| /etc/apt/apt.conf.d/50unattended-upgrades
|
And uncomment the following line by removing the leading slashes:
1
| //Unattended-Upgrade::Automatic-Reboot "false";
|
Account
Add user
Add to sudoers
1
| sudo usermod -aG sudo someuser
|
SSH Server
Install
1
| sudo apt-get install openssh-server
|
Copy key from client to server
Switch to key based auth
1
| sudo nano /etc/ssh/sshd_config
|
Add these attributes
1
2
| PasswordAuthentication no
ChallengeResponseAuthentication no
|
Networking
Static IP
sudo nano /etc/netplan/01-netcfg.yaml
1
2
3
4
5
6
7
8
9
10
11
| network:
version: 2
renderer: networkd
ethernets:
ens18:
dhcp4: no
addresses:
- 192.168.0.222/24
gateway4: 192.168.0.1
nameservers:
addresses: [192.168.0.4]
|
Hostname
1
| sudo hostnamectl set-hostname
|
Time Zone
Check time zone:
Change time zone:
1
| sudo timedatectl set-timezone
|
You can also use this command if you want to use a menu.
1
| sudo dpkg-reconfigure tzdata
|
NTP Time
1
| sudo nano /etc/systemd/timesyncd.conf
|
1
| sudo timedatectl set-net off
|
1
| sudo timedatectl set-ntp on
|
Install KVM Agent
1
| sudo apt-get install qemu-guest-agent
|
Firewall
1
| sudo ufw default deny incoming
|
1
| sudo ufw default allow outgoing
|
Fail2ban
1
| sudo apt-get install fail2ban
|
1
| sudo cp /etc/fail2ban/fail2ban.{conf,local}
|
1
| sudo cp /etc/fail2ban/jail.{conf,local}
|
1
| sudo nano /etc/fail2ban/jail.local
|
Check status
1
| sudo fail2ban-client status
|
1
| sudo fail2ban-client status sshd
|