What I allways install/change on my ubuntu servers

-
I'm installing several ubuntu servers for various purpose (home server, Secondary DNS server, new primary DNS server, web servers, development servers).

For each one, I write the setup documentation (which are stored on a google apps premium account, which is by the way a must have for all the cooperative stuff).

Here is what I do for all servers, no matter the final use :

useful software




sudo -s                                # switch to root account as at setup I do a lot of root stuff
apt-get update                         # update the apt-get package list
apt-get upgrade                        # upgrade all package that are installed by default
apt-get install vim-full;              # A lot of dependencies comes along, but vim is much better after (need some config modification)
apt-get install sysstat;               # To monitor Hard drive activities
apt-get install whois;                 # contains the mkpasswd command
apt-get install slocate;               # slocate, to find file
apt-get install nmap;                  # nmap, a port scanner which help to see if your firewall is properly set up
apt-get install debian-helper-scripts; # install the 'service' command (ex: sudo service mysqld restart instead of /etc/init.d/mysqld restart, I'm used to the service command)
apt-get install ntp ntp-doc;           # to keep the clock up to date (all computer tends to loose time because of Interruption)
apt-get install lynx                   # a text browser that help sometime to do some stuff
apt-get install unzip                  # unzip
apt-get install screen                 # detach a shell, to logout, re-logon, retrieve your work
apt-get install ndisc6 tcptraceroute   # network diagnostic tools (like tcptraceroute,  tcptraceroute6)
exit


Colored prompt and aliases



vi .bashrc and uncomment

force_colored_prompt=yes


if [ -f ~/.bash_aliases ]; then
   . ~/.bash_aliases
fi


vi .bash_aliases

and put :

alias ps="ps eaxjf" #ps as a tree, all system process

# enable color support of ls and also add handy aliases
if [ "$TERM" != "dumb" ] && [ -x /usr/bin/dircolors ]; then
   eval "`dircolors -b`"
   alias ls='ls --color=auto'
   alias dir='ls --color=auto --format=vertical'
   alias vdir='ls --color=auto --format=long'

   alias grep='grep --color=auto'
   alias fgrep='fgrep --color=auto'
   alias egrep='egrep --color=auto'
fi

alias ll='ls -la'
alias cd..="cd .."       #type error I do often
alias uncd="cd $OLDPWD"  #go to the previous directory (which can be different than cd .. ;)



Change the default home directory permission :



sudo vi /etc/adduser.conf

change DIR_MODE to :

DIR_MODE=0750

Change permission on the root directory 



cd /
sudo chmod 700 root


CTRL+ALT+SUPPR disabling


sudo vi /etc/event.d/control-alt-delete

comment the line :
#exec /sbin/shutdown -r now "Control-Alt-Delete pressed"


Configuration of NTP


choose the closest NTP server from your server if you know one, or your country NTP server from pool.ntp.org

sudo vi /etc/ntp.conf

# You do need to talk to an NTP server or two (or three).
server mafreebox.free.fr  # The triple play modem from my ISP (free) is also a NTP server
server ntp.ubuntu.com     # default server
server fr.pool.ntp.org    # NTP server for my country from the pool.ntp.org



Firewall configuration



IPv6 activation



sudo vi /etc/default/ufw

change to
IPV6=yes

Rules



Home server (ssh/http/samba)


sudo ufw logging off
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow 137/udp
sudo ufw allow 138/udp
sudo ufw allow 139/tcp
sudo ufw allow 445/tcp
sudo ufw disable;sudo ufw enable;



Production name server (DNS/HTTP/SSH for some hosts)



sudo ufw logging on

sudo ufw allow proto tcp from XX.XX.XX.XX to any port 22
sudo ufw allow proto tcp from XX.XX.XX.XX to any port 22
sudo ufw deny ssh # deny SSH for all host except the two above

sudo ufw allow domain  # DNS port 53
sudo ufw allow http    # http Port
sudo ufw disable;sudo ufw enable;


To allow an additional host to connect with ssh :

sudo ufw delete deny ssh                             #delete the rule : deny SSH for all
sudo ufw allow proto tcp from X.X.X.X to any port 22 #Add the IP for the additional host
sudo ufw deny ssh                                    #deny ssh for all others (ie deny for all except the 2 existing hosts + the new one)
sudo ufw disable;sudo ufw enable;                    #reload the firewall



Firewall state example :

thomas@ns1:~$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
53:tcp ALLOW Anywhere
53:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
22:tcp ALLOW X.X.X.X
22:tcp ALLOW Y.Y.Y.Y
22:tcp DENY Anywhere
22:udp DENY Anywhere
53:tcp ALLOW Anywhere (v6)
53:udp ALLOW Anywhere (v6)
80:tcp ALLOW Anywhere (v6)
22:tcp DENY Anywhere (v6)
22:udp DENY Anywhere (v6)



VIM configuration



(I found the mouse activation too much disturbing... and anyway... the mouse slow you down more than being drunk ;)

sudo vim /etc/vim/vimrc

" All system-wide defaults are set in $VIMRUNTIME/debian.vim (usually just
" /usr/share/vim/vimcurrent/debian.vim) and sourced by the call to :runtime
" you can find below.  If you wish to change any of those settings, you should
" do it in this file (/etc/vim/vimrc), since debian.vim will be overwritten
" everytime an upgrade of the vim packages is performed.  It is recommended to
" make changes after sourcing debian.vim since it alters the value of the
" 'compatible' option.

" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages available in Debian.
runtime! debian.vim

" Uncomment the next line to make Vim more Vi-compatible
" NOTE: debian.vim sets 'nocompatible'.  Setting 'compatible' changes numerous
" options, so any other options should be set AFTER setting 'compatible'.
"set compatible

" Vim5 and later versions support syntax highlighting. Uncommenting the next
" line enables syntax highlighting by default.
syntax on

" If using a dark background within the editing area and syntax highlighting
" turn on this option as well
set background=dark

" Uncomment the following to have Vim jump to the last position when
" reopening a file
if has("autocmd")
 au BufReadPost * if line("'\"") > 0 && line("'\"") <= line("$")     \| exe "normal g'\"" | endif endif  " Uncomment the following to have Vim load indentation rules according to the " detected filetype. Per default Debian Vim only load filetype specific " plugins. if has("autocmd")   filetype indent on endif  " The following are commented out as they cause vim to behave a lot " differently from regular Vi. They are highly recommended though. set showcmd             " Show (partial) command in status line. set showmatch           " Show matching brackets. set ignorecase          " Do case insensitive matching set smartcase           " Do smart case matching set incsearch           " Incremental search set autowrite           " Automatically save before commands like :next and :make set hidden             " Hide buffers when they are abandoned "set mouse=a            " Enable mouse usage (all modes) in terminals  " Source a global configuration file if available " XXX Deprecated, please move your changes here in /etc/vim/vimrc if filereadable("/etc/vim/vimrc.local")   source /etc/vim/vimrc.local endif


Log Rotate config



Change to 52 weeks of log retention as it's the new law in France.
And compress it.

sudo vim /etc/logrotate.conf

   # see "man logrotate" for details
   # rotate log files weekly
   weekly

   # keep 4 weeks worth of backlogs
   rotate 52

   # create new (empty) log files after rotating old ones
   create

   # uncomment this if you want your log files compressed
   compress

   # packages drop log rotation information into this directory
   include /etc/logrotate.d

   # no packages own wtmp, or btmp -- we'll rotate them here
   /var/log/wtmp {
       missingok
       monthly
       create 0664 root utmp
       rotate 1
   }

   /var/log/btmp {
       missingok
       monthly
       create 0664 root utmp
       rotate 1
   }

   # system-specific logs may be configured here

Comments

downforce said…
Nice list .. I often do most of these things. Never thought of adding cd.. though!

Oh and you can use 'cd -' instead of 'uncd'.
28 January 2010 at 08:16
Manson Thomas said…
cd.. : I often miss the space so it's quite convenient ;)

uncd is an old alias that I keep since I was in engineer school on HP-UX terminal. And $OLDPWD doesn't always work, I know 'cd -' since a few month, I'll change my 'server base install' document ;)
28 January 2010 at 09:51
Post a Comment

Popular posts from this blog

Upgrade Slimframework v3 to v4, how I did it

-
Here is an article that details my path to upgrade to Slimframework v3 to v4. I'm developing on my freetime an application that manage the fundraising of the French Red Cross, and I'm updating a lot of frameworks to their last version (AngularJS to Angular 8/9 is my big next move). You can find the project sources here : https://github.com/dev-mansonthomas/RedCrossQuest There’s quite a lot of breaking changes involved, feature removed in profit to external frameworks, the upgrade documentation is quite minimal, but you must read it to understand what's changing : http://www.slimframework.com/docs/v4/start/upgrade.html This article is not well redacted, it’s just a log of what I did to achieve the upgrade, but I feel it may help some, so here we are ;) What I've read to perform the upgrade I’ve read theses article to help the transition to the 4.x  https://akrabat.com/a-first-look-at-slim-4/ https://dzone.com/articles/a-first-look-at-slim-4
Read more

Reset Bacula database and files

-
Image
Today I need to purge my bacula for several reasons. Here is how I did. First backup the database and files used in your previous setup, one never knows you might actually need it after the purge... /usr/bin/mysqldump -aecqQ bacula > bacula_before_purge.sql and copy the volumes and bsr files. Stop bacula : service bacula-director stop service bacula-fd stop service bacula-sd stop then : mysql -u root -p drop database bacula; create database bacula; quit next we need to recreate bacula tables. There's a bacula script to do that, but the file needs to be changed to set the correct database name. cp /usr/share/bacula-director/make_mysql_tables ~/ vi ~/make_mysql_tables change XXX_DBNAME_XXX by your bacula database (let's say 'bacula') save and exit. then run as root the script ~/make_mysql_tables it should have recreated the tables : mysql -u root -p use bacula; show tables; +------------------+ | Tables_in_bacula | +-----------
Read more

Limit the upload bandwidth of your apache webserver with mod_bw

-
Image
I've a server at home on a ADSL connection which has 100kBytes/s of upload and 1.2MBytes/s of download as bandwidth. If someone download at full speed some large file on my web server, my internet connection become unusable. To avoid this, I start to ask my friends to use a download manager to limit their download speed... but it's somewhat far too tricky for a lot of them... So I use mod_bw developed by Ivan Barrera http://www.ivn.cl/apache/ (sourceforge : http://bwmod.sourceforge.net/ ). Here is a quick way to limit the bandwidth used by Apache : Install & enable (on Ubuntu): sudo apt-get install libapache2-mod-bw sudo a2enmod bw Configure (your apache virtualhost conf file like /etc/apache2/sites-available/default) : <virtualhost *:80> #... other config stuf for the virtual host BandWidthModule On ForceBandWidthModule On BandWidth 192.168.0.0/24 0 BandWidth all 80000 </virtualhost> Explaination : line 1 : Activate the mod for the virtualhost. line 2 : Set a
Read more