Thursday, 9 October 2008

What I allways install/change on my ubuntu servers

I'm installing several ubuntu servers for various purpose (home server, Secondary DNS server, new primary DNS server, web servers, development servers).

For each one, I write the setup documentation (which are stored on a google apps premium account, which is by the way a must have for all the cooperative stuff).

Here is what I do for all servers, no matter the final use :

useful software




sudo -s # switch to root account as at setup I do a lot of root stuff
apt-get update # update the apt-get package list
apt-get upgrade # upgrade all package that are installed by default
apt-get install vim-full; # A lot of dependencies comes along, but vim is much better after (need some config modification)
apt-get install sysstat; # To monitor Hard drive activities
apt-get install whois; # contains the mkpasswd command
apt-get install slocate; # slocate, to find file
apt-get install nmap; # nmap, a port scanner which help to see if your firewall is properly set up
apt-get install debian-helper-scripts; # install the 'service' command (ex: sudo service mysqld restart instead of /etc/init.d/mysqld restart, I'm used to the service command)
apt-get install ntp ntp-doc; # to keep the clock up to date (all computer tends to loose time because of Interruption)
apt-get install lynx # a text browser that help sometime to do some stuff
apt-get install unzip # unzip
apt-get install screen # detach a shell, to logout, re-logon, retrieve your work
apt-get install ndisc6 tcptraceroute # network diagnostic tools (like tcptraceroute, tcptraceroute6)
exit


Colored prompt and aliases



vi .bashrc and uncomment

force_colored_prompt=yes


if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi


vi .bash_aliases

and put :

alias ps="ps eaxjf" #ps as a tree, all system process

# enable color support of ls and also add handy aliases
if [ "$TERM" != "dumb" ] && [ -x /usr/bin/dircolors ]; then
eval "`dircolors -b`"
alias ls='ls --color=auto'
alias dir='ls --color=auto --format=vertical'
alias vdir='ls --color=auto --format=long'

alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
fi

alias ll='ls -la'
alias cd..="cd .." #type error I do often
alias uncd="cd $OLDPWD" #go to the previous directory (which can be different than cd .. ;)



Change the default home directory permission :



sudo vi /etc/adduser.conf

change DIR_MODE to :

DIR_MODE=0750

Change permission on the root directory



cd /
sudo chmod 700 root


CTRL+ALT+SUPPR disabling


sudo vi /etc/event.d/control-alt-delete

comment the line :
#exec /sbin/shutdown -r now "Control-Alt-Delete pressed"


Configuration of NTP


choose the closest NTP server from your server if you know one, or your country NTP server from pool.ntp.org

sudo vi /etc/ntp.conf

# You do need to talk to an NTP server or two (or three).
server mafreebox.free.fr # The triple play modem from my ISP (free) is also a NTP server
server ntp.ubuntu.com # default server
server fr.pool.ntp.org # NTP server for my country from the pool.ntp.org



Firewall configuration



IPv6 activation



sudo vi /etc/default/ufw

change to
IPV6=yes

Rules



Home server (ssh/http/samba)


sudo ufw logging off
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow 137/udp
sudo ufw allow 138/udp
sudo ufw allow 139/tcp
sudo ufw allow 445/tcp
sudo ufw disable;sudo ufw enable;



Production name server (DNS/HTTP/SSH for some hosts)



sudo ufw logging on

sudo ufw allow proto tcp from XX.XX.XX.XX to any port 22
sudo ufw allow proto tcp from XX.XX.XX.XX to any port 22
sudo ufw deny ssh # deny SSH for all host except the two above

sudo ufw allow domain # DNS port 53
sudo ufw allow http # http Port
sudo ufw disable;sudo ufw enable;


To allow an additional host to connect with ssh :

sudo ufw delete deny ssh                             #delete the rule : deny SSH for all
sudo ufw allow proto tcp from X.X.X.X to any port 22 #Add the IP for the additional host
sudo ufw deny ssh #deny ssh for all others (ie deny for all except the 2 existing hosts + the new one)
sudo ufw disable;sudo ufw enable; #reload the firewall



Firewall state example :

thomas@ns1:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
53:tcp ALLOW Anywhere
53:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
22:tcp ALLOW X.X.X.X
22:tcp ALLOW Y.Y.Y.Y
22:tcp DENY Anywhere
22:udp DENY Anywhere
53:tcp ALLOW Anywhere (v6)
53:udp ALLOW Anywhere (v6)
80:tcp ALLOW Anywhere (v6)
22:tcp DENY Anywhere (v6)
22:udp DENY Anywhere (v6)



VIM configuration



(I found the mouse activation too much disturbing... and anyway... the mouse slow you down more than being drunk ;)

sudo vim /etc/vim/vimrc

" All system-wide defaults are set in $VIMRUNTIME/debian.vim (usually just
" /usr/share/vim/vimcurrent/debian.vim) and sourced by the call to :runtime
" you can find below. If you wish to change any of those settings, you should
" do it in this file (/etc/vim/vimrc), since debian.vim will be overwritten
" everytime an upgrade of the vim packages is performed. It is recommended to
" make changes after sourcing debian.vim since it alters the value of the
" 'compatible' option.

" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages available in Debian.
runtime! debian.vim

" Uncomment the next line to make Vim more Vi-compatible
" NOTE: debian.vim sets 'nocompatible'. Setting 'compatible' changes numerous
" options, so any other options should be set AFTER setting 'compatible'.
"set compatible

" Vim5 and later versions support syntax highlighting. Uncommenting the next
" line enables syntax highlighting by default.
syntax on

" If using a dark background within the editing area and syntax highlighting
" turn on this option as well
set background=dark

" Uncomment the following to have Vim jump to the last position when
" reopening a file
if has("autocmd")
au BufReadPost * if line("'\"") > 0 && line("'\"") <= line("$") \| exe "normal g'\"" | endif endif " Uncomment the following to have Vim load indentation rules according to the " detected filetype. Per default Debian Vim only load filetype specific " plugins. if has("autocmd") filetype indent on endif " The following are commented out as they cause vim to behave a lot " differently from regular Vi. They are highly recommended though. set showcmd " Show (partial) command in status line. set showmatch " Show matching brackets. set ignorecase " Do case insensitive matching set smartcase " Do smart case matching set incsearch " Incremental search set autowrite " Automatically save before commands like :next and :make set hidden " Hide buffers when they are abandoned "set mouse=a " Enable mouse usage (all modes) in terminals " Source a global configuration file if available " XXX Deprecated, please move your changes here in /etc/vim/vimrc if filereadable("/etc/vim/vimrc.local") source /etc/vim/vimrc.local endif


Log Rotate config



Change to 52 weeks of log retention as it's the new law in France.
And compress it.

sudo vim /etc/logrotate.conf

# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 52

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
compress

# packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

/var/log/btmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

# system-specific logs may be configured here

2 comments:

downforce said...

Nice list .. I often do most of these things. Never thought of adding cd.. though!

Oh and you can use 'cd -' instead of 'uncd'.

Manson Thomas said...

cd.. : I often miss the space so it's quite convenient ;)

uncd is an old alias that I keep since I was in engineer school on HP-UX terminal. And $OLDPWD doesn't always work, I know 'cd -' since a few month, I'll change my 'server base install' document ;)