Ubuntu Linux Cloud Install

After deploying a new Ubuntu Linux server on Digital Ocean or Linode, there are a few customization steps I take to improve usability and security of the server. These instructions are assuming you’ve install Ubuntu Linux 20.04 LTS.

Set Hostname

hostnamectl set-hostname domain.tld

Rebuild Hosts File

shortname=$(hostname | cut -d"." -f1)
defaultdev=$(ip ro ls|grep default|awk '{print $5}')
primaryaddr=$(ip -f inet addr show dev "$defaultdev" | grep 'inet ' | awk '{print $2}' | cut -d"/" -f1 | cut -f1)
cp /etc/hosts /etc/hosts.old
printf "%s\\t%s\\n" "127.0.0.1" "localhost" > /etc/hosts
printf "%s\\t%s\\t%s\\n" "$primaryaddr" "$(hostname)" "$shortname" >> /etc/hosts
cat /etc/hosts

Check the output at the end of the command to make sure the hosts file looks similar to this

127.0.0.1 localhost
192.168.1.100 domain.tld domain

Update Package Repository

apt update

Install Strong Entropy

apt -y install haveged pollinate

Schedule re-seeding random number generator at boot

(crontab -l ; echo "@reboot sleep 60 ; /usr/bin/pollinate -r" )| crontab -

SSH Server Hardening

Backup SSH Server Config files

cp /etc/ssh/sshd_config /etc/ssh/backup.sshd_config
cp /etc/ssh/moduli /etc/ssh/backup.moduli

Security Changes to sshd_conf

sed -i '/X11Forwarding/c\X11Forwarding no' /etc/ssh/sshd_config
sed -i 's/^#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/\HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
sed -i 's/^HostKey \/etc\/ssh\/ssh_host_\(dsa\|ecdsa\)_key$/\#HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
echo -e "\n# Restrict key exchange, cipher, and MAC algorithms\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf

Remove small Diffie-Hellman moduli

awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli

Regenerate SSH Server Keys

rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""

Restart OpenSSH server

service ssh restart

Generate New Root SSH Keys

rm ~/.ssh/id_rsa -f ~/.ssh/id_ed25519
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N ""
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""

Swap File

If on Azure, see the instruction below for Swap File on Azure.

If a swap partition was not created by the deployment, create one based on the amount of RAM installed.

Create swap file (example for 1GB swap file)

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

Swap File on Azure

The Azure WALinuxAgent will automatically create a swap file on the resource (temporary) drive.

cp /etc/waagent.conf /etc/waagent.conf.save
sed -i '/ResourceDisk.Format/c\ResourceDisk.Format=y' /etc/waagent.conf
sed -i '/ResourceDisk.EnableSwap/c\ResourceDisk.EnableSwap=y' /etc/waagent.conf
sed -i '/ResourceDisk.SwapSizeMB/c\ResourceDisk.SwapSizeMB=4096' /etc/waagent.conf
service walinuxagent restart

Create Linux Update Scripts

cat > /usr/local/bin/linux-update << EOF
apt-get -y autoremove --purge
sync
apt-get clean
apt-get autoclean
apt update
apt -y full-upgrade
sync
update-grub
echo "Press Enter to reboot or Ctrl-C to abort..."
read aa
sync
reboot
EOF
cat > /usr/local/bin/linux-cleanup << EOF
apt-get -y autoremove --purge
sync
update-grub
EOF
chmod +rx /usr/local/bin/linux-update /usr/local/bin/linux-cleanup

Install Various Useful Packages

apt -y install apport apt-transport-https aptitude at build-essential byobu command-not-found curl dnsutils ethtool git htop man ntpdate patch psmisc screen software-properties-common sosreport update-motd update-notifier-common vim zip unzip

Harden IPv4 Network

cat > /etc/sysctl.conf <<EOF
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
EOF

If you are not using IPv6, disable it

cat >> /etc/sysctl.conf <<EOF
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF

Restrict Root Login to Console

cp /etc/securetty /etc/securetty.old
cat > /etc/securetty <<EOF
console
tty1
tty2
tty3
tty4
tty5
tty6
EOF

Configure Time Services

Set Local Time Zone

dpkg-reconfigure tzdata

Define Time Servers

sed -i '/^#NTP=/c\NTP=time.google.com' /etc/systemd/timesyncd.conf

Restart Time Sync

systemctl restart systemd-timesyncd
ntpdate -u time.google.com

Journal Log Cleanup

(crontab -l ; echo "@daily journalctl --vacuum-time=30d --vacuum-size=1G" )| crontab -

Unattended Security Updates


Install unattended-upgrades package

apt install unattended-upgrades

Enable automatic upgrades

echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
dpkg-reconfigure -f noninteractive unattended-upgrades

Configure apt options

cat > /etc/apt/apt.conf.d/10periodic <<EOF
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "1";
EOF

Configure only security updates and reboot time (2:00am)

cat > /etc/apt/apt.conf.d/50unattended-upgrades <<EOF
Unattended-Upgrade::Allowed-Origins {
        "\${distro_id}:\${distro_codename}";
        "\${distro_id}:\${distro_codename}-security";
        "\${distro_id}ESM:\${distro_codename}";
};
Unattended-Upgrade::Package-Blacklist {
};
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
EOF

Configure Download Timer Service

rm -rf /etc/systemd/system/apt-daily.timer*
cat > /etc/systemd/system/apt-daily.timer <<EOF
[Unit]
Description=Daily apt download activities
[Timer]
OnCalendar=*-*-* 6,18:00
RandomizedDelaySec=6h
Persistent=true
[Install]
WantedBy=timers.target
EOF
rm -rf /etc/systemd/system/apt-daily-upgrade.timer*
cat > /etc/systemd/system/apt-daily-upgrade.timer <<EOF
Description=Daily apt upgrade and clean activities
After=apt-daily.timer
[Timer]
OnCalendar=*-*-* 0:25
RandomizedDelaySec=30m
Persistent=true
[Install]
WantedBy=timers.target
EOF
systemctl daemon-reload

Update to Latest Linux Kernel

Install new Kernel

apt -y install --install-recommends linux-virtual-hwe-20.04

reboot and reconnect with putty as root user

reboot

Remove old kernel packages and dependencies

apt-get -y autoremove ; apt -y purge linux-generic linux-headers-generic linux-image-generic linux-virtual linux-headers-virtual linux-image-virtual

Make sure all Linux packages are up-to-date and reboot when prompted

linux-update

Suggested Next Steps

• Emerging Threats and Geo-Protection (Ubuntu)
• Virtualmin LAMP Server or Virtualmin LEMP Server
• Webmin System Administration Console