Server installation
This page is likely more commonly updated than other pages in this wiki, so instructions will likely change the more tips I pick up from redeploying servers.
Changelog
- 2022-12-26: Rewrite for Ubuntu Server 22.04 LTS
- 2021-06-27: Initial document writeup
- 2024-02-12: Update for newer system
General installation
The usual process of loading the OS image into a virtual machine, and/or creating a bootable disk for installation on bare-metal, has been thoroughly documented in many tutorials out there. Here's one provided by Ubuntu tutorials on Windows. This page is intended to document what generally should come after such an installation.
Figure out what the IP address is (either via router admin portal, or direct console with ip addr), and set a fixed route. On the server, renew the DHCP lease:
root:~# dhclient -r # release root:~# dhclient
First, always update any potentially outdated packages.
sudo apt update sudo apt upgrade
Enable the firewall, selecting rules that are relevant. The default user-facing firewall is ufw, which is pretty easy to work with. ufw reload if already enabled, and ufw status to check the status. Further ufw configuration in /etc/default/ufw, including disabling of IPV6 if needed.
sudo ufw allow 22/tcp comment "2022-12-26 SSH" sudo ufw allow 80/tcp comment "2022-12-26 HTTP" sudo ufw allow 443/tcp comment "2022-12-26 HTTPS" sudo ufw deny to 224.0.0.1 comment "2024-02-12 IGMP snooping" sudo ufw enable
Set timezone to current timezone,
sudo timedatectl set-timezone Asia/Singapore
Copy .bashrc (configuration for subshells) to .bash_profile (configuration for login shells). Note .profile is lower in the priority list.
cp ~/.bashrc ~/.bash_profile
Generate a ballast file:
sudo fallocate -l 1G /ballast.tmp
Add swap if not already provided:
sudo touch /swap.img sudo fallocate -l 8G /swap.img sudo chmod 0600 /swap.img sudo mkswap /swap.img sudo swapon /swap.img # Add to /etc/fstab: # /swap.img none swap sw 0 0
Private/public key pair generation
Option of creating either RSA or EDCSA key pairs, the latter is preferred (and also preferably using one of the NIST curves). Consider using a structured way of managing keys, and always add passphrases to protect against key leakage.
ssh-keygen -t ed25519 -C justin-org-machine-datetime-1 -f ~/.ssh/justin-org-machine-datetime-1
Avoid copying private keys over network - should only ever reside on the local machine
Change the permissions of the .ssh directory and .ssh/authorized_keys file to 700 (u+rwx) and 600 (u+rw) respectively.
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
If there is a need to add public key to client machines' authorized_keys, use ssh-copy-id.
ssh-copy-id -i ~/.ssh/justin-org-machine-datetime-1 [USER]@[HOST] -o VisualHostKey=yes
Note the use of the VisualHostKey flag above to display the randomart image (ASCII art) of the target SSH server's public key. This is used for easier key comparison to ensure the correct server is targeted. To view the fingerprint on the server:
sudo ssh-keygen -lvf /etc/ssh/ssh_host_ecdsa_key.pub
Use an SSH agent
SSH agent should already be built-in - if not started, run eval $(ssh-agent -s). This allows keys to be managed on a per-session basis to reduce required passphrase typing.
ssh-add -t 86400 ~/.ssh/justin-org-machine-datetime-1
Note that doing so avoids the pitfalls of having the keys loaded forever.
Save frequently-used connections in SSH config
Common configurations and connections can be populated in the SSH configuration file located in ~/.ssh/config. Syntax for more common usage listed below:
- ~/.ssh/config
Host * IdentityFile /home/justin/.ssh/justin-org-machine-datetime-1 IdentitiesOnly yes Host proxy-thinkrat HostName 192.168.101.239 User justin ForwardX11 yes ForwardX11Trusted yes LocalForward 5902 127.0.0.1:5901 Host belgianwit HostName 192.168.101.95 User admin IdentitiesOnly no ProxyJump proxy-thinkrat
More SSH tips:
Specialized programs
Where already documented, links to the corresponding pages for each software is non-exhaustively listed here.
- Certbot using Python3 and GoDaddy credentials
Samba
First install Samba client with sudo apt install cifs-utils, then update the fstab file to mount the SMB. Note that the samba package on the other hand holds the server.
Example below connects to SMB server as www-data user, by configuring /etc/fstab. Note the common mistake of not specifying file_mode and dir_mode leading to world-readable data:
| Field | Value |
|---|---|
| Filesystem | //[HOSTNAME]/[FOLDER] |
| Mount point | /srv/[FOLDER] |
| Type | cifs |
| Options | credentials=/etc/credentials/.smbcredentials uid=33, gid=33 file_mode=0660, dir_mode=0770 iocharset=utf8 sec=ntlmssp, vers=3.0 |
| Dump | 0 |
| Pass | 0 |
- /etc/credentials/.smbcredentials
user=[SAMBA_USER] password=[SAMBA_PASSWORD]
Mount the folder once configuration is done, using sudo mount -a. Unmount with sudo umount [MOUNT_POINT]. For other mount types, consider nfs-common and sshfs, e.g. sshfs#USERNAME@HOST:/... /mnt/... fuse identityfile=/home/...,uid=1000,gid=0,defaults,_netdev,allow_other 0 0
automount
Putting stuff in "/etc/fstab" directly results in the system attempting to mount at boot time, which will delay boot when the network share is not available. "autofs" and "automount" have been around to solve this problem, and now as of 2013 or so, systemd itself is able to manage it as well.
Simply add noauto,x-systemd.automount to the mount options and the required "mount" and "automount" services will be created under /run/systemd/generator.
motd
Can be found in /etc/update-motd.d/, with scripts executed in alphabetical order.