Ubuntu Linux Cloud Install

Facebook
Google+
https://www.neblink.net/ubuntu-linux-cloud-install/
Twitter

After deploying a new Ubuntu Linux server on Digital Ocean or Linode, there are a few customization steps I take to improve usability and security of the server.

Install Strong Entropy

apt -y install haveged pollinate

Schedule re-seeding random number generator at boot:

(crontab -l ; echo "@reboot /usr/bin/pollinate -r" )| crontab -


Generate New Root SSH Keys

ssh-keygen -t rsa -b 4096 ; ssh-keygen -t ed25519


Replace Authorized SSH Public Keys

The keys you just created will be used as an emergency fail-safe in case you lose your password and/or your own ssh keys and cannot access the system. To make sure no other unknown keys are authorized to login as root, we will create a new authorized_keys file and add our fail-safe keys to it.

cd /root/.ssh
cp id_rsa.pub authorized_keys
cat id_ed25519.pub >> authorized_keys

Download the private key files and store someplace safe (offline). DO NOT DELETE THEM FROM THE SERVER.

  • /root/.ssh/id_rsa
  • /root/.ssh/id_ed25519

Edit the authorized_keys file and paste your own keys to the bottom of the file.

vi /root/.ssh/authorized_keys


Regenerate SSH Server Keys

sed -i 's/^[# ]*ServerKeyBits [^\r\n]\+$/ServerKeyBits 2048/gmi' /etc/ssh/sshd_config
rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server


Swap File

If a swap partition was not created by the deployment, create one based on the amount of RAM installed.

Installed RAM (GB) Swap File (GB)
2 or less 1
3 – 6 2
7 – 12 3
13 – 20 4

Create swap file (example for 1GB swap file):

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab


Create Linux Update Scripts

cat > /usr/local/bin/linux-update << EOF
purge-old-kernels --keep 1 -y
apt-get -y autoremove --purge
sync
apt-get clean
apt-get autoclean
apt update
apt -y full-upgrade
sync
update-grub
echo "Press Enter to reboot or Ctrl-C to abort..."
read aa
sync
reboot
EOF
cat > /usr/local/bin/linux-cleanup << EOF
purge-old-kernels --keep 1 -y
apt-get -y autoremove --purge
sync
update-grub
EOF
chmod +rx /usr/local/bin/linux-update /usr/local/bin/linux-cleanup


Install Updates and reboot when prompted

linux-update


Install Various Useful Packages

apt -y install apport aptitude at byobu command-not-found curl dnsutils ethtool git htop man patch psmisc screen software-properties-common sosreport update-motd update-notifier-common vim


Set Hostname

hostnamectl set-hostname domain.tld


Rebuild Hosts File

cat > /etc/hosts <<EOF
127.0.0.1  localhost
`hostname -i`  `hostname -f`  `hostname -s`
EOF
cat /etc/hosts

Check the output at the end of the command to make sure the hosts file looks similar to this:

127.0.0.1 localhost
192.168.1.100 domain.tld domain


Harden IPv4 Network

cat > /etc/sysctl.conf <<EOF
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
EOF


If you are not using IPv6, disable it

cat >> /etc/sysctl.conf <<EOF
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF


Restrict Root Login to Console

cp /etc/securetty /etc/securetty.old
cat > /etc/securetty <<EOF
console
tty1
tty2
tty3
tty4
tty5
tty6
EOF


Configure Time Services

Set Local Time Zone

dpkg-reconfigure tzdata

Install NTP packages

apt -y install ntp ntpdate

Edit the ntp config file

cat > /etc/ntp.conf <<EOF
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
pool 0.us.pool.ntp.org
pool 1.us.pool.ntp.org
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery
EOF

Restart NTP

service ntp stop
ntpdate 0.us.pool.ntp.org
service ntp start


Unattended Security Updates

Install unattended-upgrades package

apt install unattended-upgrades

Enable automatic upgrades

dpkg-reconfigure unattended-upgrades

Configure apt options

cat > /etc/apt/apt.conf.d/10periodic <<EOF
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "1";
EOF

Configure only security updates and reboot time (2:00am)

cat > /etc/apt/apt.conf.d/50unattended-upgrades <<EOF
Unattended-Upgrade::Allowed-Origins {
        "\${distro_id}:\${distro_codename}";
        "\${distro_id}:\${distro_codename}-security";
        "\${distro_id}ESM:\${distro_codename}";
};
Unattended-Upgrade::Package-Blacklist {
};
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
EOF

Configure Download Timer Service

rm -rf /etc/systemd/system/apt-daily.timer*
systemctl --full edit apt-daily.timer

modify the following for random download time between 6am – noon and 6pm – midnight:

RandomizedDelaySec=6h

Configure Upgrade Timer Service

rm -rf /etc/systemd/system/apt-daily-upgrade.timer*
systemctl --full edit apt-daily-upgrade.timer

modify the following for random upgrade time between 12:25am and 12:55am:

OnCalendar=*-*-* 0:25
RandomizedDelaySec=30m


Updates Cleanup

linux-cleanup


Suggested Next Steps

Facebook
Google+
https://www.neblink.net/ubuntu-linux-cloud-install/
Twitter