This page is likely more commonly updated than other pages in this wiki, so instructions will likely change the more tips I pick up from redeploying servers.
Changelog
The usual process of loading the OS image into a virtual machine, and/or creating a bootable disk for installation on bare-metal, has been thoroughly documented in many tutorials out there. Here's one provided by Ubuntu tutorials on Windows. This page is intended to document what generally should come after such an installation.
Figure out what the IP address is (either via router admin portal, or direct console with ip addr), and set a fixed route. On the server, renew the DHCP lease:
root:~# dhclient -r # release root:~# dhclient
First, always update any potentially outdated packages.
sudo apt update sudo apt upgrade
Enable the firewall, selecting rules that are relevant. The default user-facing firewall is ufw, which is pretty easy to work with. ufw reload if already enabled, and ufw status to check the status. Further ufw configuration in /etc/default/ufw, including disabling of IPV6 if needed.
sudo ufw allow 22/tcp comment "2022-12-26 SSH" sudo ufw allow 80/tcp comment "2022-12-26 HTTP" sudo ufw allow 443/tcp comment "2022-12-26 HTTPS" sudo ufw deny to 224.0.0.1 comment "2024-02-12 IGMP snooping" sudo ufw enable
Set timezone to current timezone,
sudo timedatectl set-timezone Asia/Singapore
Copy .bashrc (configuration for subshells) to .bash_profile (configuration for login shells). Note .profile is lower in the priority list.
cp ~/.bashrc ~/.bash_profile
Generate a ballast file:
sudo fallocate -l 1G /ballast.tmp
Add swap if not already provided:
sudo touch /swap.img sudo fallocate -l 8G /swap.img sudo chmod 0600 /swap.img sudo mkswap /swap.img sudo swapon /swap.img # Add to /etc/fstab: # /swap.img none swap sw 0 0
Option of creating either RSA or EDCSA key pairs, the latter is preferred (and also preferably using one of the NIST curves). Consider using a structured way of managing keys, and always add passphrases to protect against key leakage.
ssh-keygen -t ed25519 -C justin-org-machine-datetime-1 -f ~/.ssh/justin-org-machine-datetime-1
Avoid copying private keys over network - should only ever reside on the local machine
Change the permissions of the .ssh directory and .ssh/authorized_keys file to 700 (u+rwx) and 600 (u+rw) respectively.
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
If there is a need to add public key to client machines' authorized_keys, use ssh-copy-id.
ssh-copy-id -i ~/.ssh/justin-org-machine-datetime-1 [USER]@[HOST] -o VisualHostKey=yes
Note the use of the VisualHostKey flag above to display the randomart image (ASCII art) of the target SSH server's public key. This is used for easier key comparison to ensure the correct server is targeted. To view the fingerprint on the server:
sudo ssh-keygen -lvf /etc/ssh/ssh_host_ecdsa_key.pub
Use an SSH agent
SSH agent should already be built-in - if not started, run eval $(ssh-agent -s). This allows keys to be managed on a per-session basis to reduce required passphrase typing.
ssh-add -t 86400 ~/.ssh/justin-org-machine-datetime-1
Note that doing so avoids the pitfalls of having the keys loaded forever.
Save frequently-used connections in SSH config
Common configurations and connections can be populated in the SSH configuration file located in ~/.ssh/config. Syntax for more common usage listed below:
Host *
IdentityFile /home/justin/.ssh/justin-org-machine-datetime-1
IdentitiesOnly yes
Host proxy-thinkrat
HostName 192.168.101.239
User justin
ForwardX11 yes
ForwardX11Trusted yes
LocalForward 5902 127.0.0.1:5901
Host belgianwit
HostName 192.168.101.95
User admin
IdentitiesOnly no
ProxyJump proxy-thinkrat
More SSH tips:
Where already documented, links to the corresponding pages for each software is non-exhaustively listed here.
First install Samba client with sudo apt install cifs-utils, then update the fstab file to mount the SMB. Note that the samba package on the other hand holds the server.
Example below connects to SMB server as www-data user, by configuring /etc/fstab. Note the common mistake of not specifying file_mode and dir_mode leading to world-readable data:
| Field | Value |
|---|---|
| Filesystem | //[HOSTNAME]/[FOLDER] |
| Mount point | /srv/[FOLDER] |
| Type | cifs |
| Options | credentials=/etc/credentials/.smbcredentials uid=33, gid=33 file_mode=0660, dir_mode=0770 iocharset=utf8 sec=ntlmssp, vers=3.0 |
| Dump | 0 |
| Pass | 0 |
user=[SAMBA_USER] password=[SAMBA_PASSWORD]
Mount the folder once configuration is done, using sudo mount -a. Unmount with sudo umount [MOUNT_POINT]. For other mount types, consider nfs-common and sshfs, e.g. sshfs#USERNAME@HOST:/... /mnt/... fuse identityfile=/home/...,uid=1000,gid=0,defaults,_netdev,allow_other 0 0
Putting stuff in "/etc/fstab" directly results in the system attempting to mount at boot time, which will delay boot when the network share is not available. "autofs" and "automount" have been around to solve this problem, and now as of 2013 or so, systemd itself is able to manage it as well.
Simply add noauto,x-systemd.automount to the mount options and the required "mount" and "automount" services will be created under /run/systemd/generator.