• Recent
  • Popular
  • Unsolved
  • Categories
  • Tags
  • Chat
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
SysAdmins Zone Logo

New Linux server checklist

Scheduled Pinned Locked Moved Guides
2 Posts 1 Posters 38 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • katosK Offline
    katosK Offline
    katos Admin
    wrote on last edited by
    #1

    Your new server checklist

    When you obtain a new server, be it for work or for your personal projects, what checklist do you have for the maintenance and upkeep of it? This includes general configuration, security and application installation.

    For me, it is different depending on whether or not this is a Linux or Windows server.

    Linux Server checklist

    1. Log into the server and run updates.
      This can be done by running the following command(s)
    apt-get update && apt-get upgrade
    1. Configure unattended updates.
      Run the following commands:
    sudo apt install unattended-upgrades apt-listchanges bsd-mailx

    Configure unattended security updates:

    sudo dpkg-reconfigure -plow unattended-upgrades

    Configure automatic updates by editing the configuration file here:

    sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

    I prefer nano, but you can use vi or an editor of your choice!

    I then configure email alerts as follows:

    Unattended-Upgrade::Mail "[email protected]";

    I also configure automatic reboots:

    Unattended-Upgrade::Automatic-Reboot "true";

    Save and close the file, and then run a dry-run to test the configuration and confirm working:

    sudo unattended-upgrades --dry-run

    Note that the above can be automated with a tool such as Ansible or Puppet, if you prefer or have a large amount of servers to manage.

    1. Set the hostname
    sudo hostnamectl set-hostname YourServerNameHere
    1. Configure a new user and deny root login (if this has not already been set by policy/template)
      Create your new user:
    sudo adduser userNameHere

    Enter password and other needed info to create a user account on Ubuntu server
    Add the user to sudousers:

    sudo useradd -s /bin/bash -d /home/katos/ -m -G sudo katos

    Explanation of above command:

    • -s /bin/bash – Set /bin/bash as login shell of the new account
    • -d /home/katos/ – Set /home/katos/ as home directory of the new Ubuntu account
    • -m – Create the user’s home directory
    • -G sudo – Make sure user katos can sudo i.e. give admin access to the new account

    Deny root login:

    nano /etc/ssh/sshd_config

    From here, adjust the below line:

    #PermitRootLogin yes

    to:

    PermitRootLogin no

    Then run:

    /etc/init.d/sshd restart
    1. Add SSH keys as required.
    2. Limit open ports and ensure that the Linux Firewall is running
      For my firewall, I oftentimes run Crowdsec: CrowdSec - The open-source & collaborative security IPS
    3. Depending on my server requirements, I might also install SELinux for additional hardening.
    apt-get install selinux-basics selinux-policy-default auditd
selinux-activate
check-selinux-installation
    1. Where security is absolutely paramount on my server, and requires external access which might compromise the security, I install MFA requirements. For example with the libpam-google-authenticator package:
    apt-get install libpam-google-authenticator
google-authenticator

    On the follow prompt, select Y

    Do you want authentication tokens to be time-based (y/n)

    I also then rate-limit login attempts to protect against brute forcing:

    If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) 

    Next, edit the sshd_config file

    nano /etc/ssh/sshd_config

    as follows:

    UsePAM yes  
ChallengeResponseAuthentication yes

    Now restart SSH:

    systemctl restart ssh

    And finally, require the use of authenticator:

    nano /etc/pam.d/sshd

    Add the following entry at the end of that file:

    auth required pam_google_authenticator.so

    We can now save and close this file. From now on SSH will use Google Authenticator to confirm MFA.

    1. Of course, the most important of all setups is then to configure backups - depending on how/where I am hosting this, I usually do this through automated VEAMM backups and with VMWare snapshots. I also have Digital Ocean backups for my servers hosted there, as well as even mounting OneDrive as a mount point on Linux, and backing up files such as database backups etc to this - let me know if you want a tutorial for this!
    1 Reply Last reply
    1
  • katosK Offline
    katosK Offline
    katos Admin
    wrote on last edited by
    #2

    I thought that it might be good to share our resources for new server configurations - this one is my linux configuration checklist (not complete) - What are your checklists? 🙂

    1 Reply Last reply
    0

© Copyright 2023, SysAdmins Zone.
Terms of Service | Privacy Policy
  • Login
  • Don't have an account? Register
  • Login or register to search.
  • First post
    Last post
0
  • Recent
  • Popular
  • Unsolved
  • Categories
  • Tags
  • Chat
  • Login
  • Don't have an account? Register
  • Login or register to search.