Ubuntu 18.04 Server Base Install

Ubuntu 18.04 server base configuration notes.

Debian Stretch Server Base Install

Debian installation follows the same installation notes.

Base Install

• Hostname: {HOST}

• Full Name: {FULLNAME}

• Username: {USER}

• Password: {PASS}

• No encrypted home directory

• Partitioning: Guided, Full disk, no encryption

• Set default encryption passphrase: template

• Size: max

• Automatic security updates

• Packages: Standard system utilities

Change to faster default apt repositories & install base packages.

sed -i 's/us\.archive\.ubuntu\.com/mirrors\.mit\.edu/g' /etc/apt/sources.list
apt update && apt upgrade
apt install python-software-properties inotify-tools curl unattended-upgrades sysstat htop tmux ssh ffpmeg

Disable software RAID 5 detection on boot by default.

grep -qxF 'ARRAY <ignore> devices=/dev/null' /etc/mdadm/mdadm.conf || echo 'ARRAY <ignore> devices=/dev/null' >> /etc/mdadm/mdadm.conf

Secure existing home directories & setup ssh/bin sub directories.

find /home/ -maxdepth 1 -type d ! -path /home/ -exec mkdir {}/.ssh {}/bin && chmod 0700 {}/.ssh {}/bin \;
mkdir /root.ssh /root/bin && chmod 0700 /root/.ssh /root/bin
find /home -name '.profile' -exec rm -v {} \;
rm /root/.profile
chmod go-rwx -Rv /home/* /root

Secure SSH connections

Caution

Longstanding SSH options have been removed in 18.04 and your SSH config will not carry over unchanged.

See SSH to setup SSH service, and Creating SSH Certificates to create user certificates.

Install TCP BBR Kernel Patches

TCP BBR is a new congestion controlling algorithm that is designed to respond to actual congestion instead of packet loss. This results in a dramatic increase in transfer speeds. This applies to any Linux distrubtion running Kernel 4.9+ with BBR patches.

Ensure CONFIG_TCP_CONG_BBR and CONFIG_NET_SCH_FQ parameters are supported in the Kernel and that the kernel version is 4.9+.

uname -r
egrep 'CONFIG_TCP_CONG_BBR|CONFIG_NET_SCH_FQ' /boot/config-$(uname -r)

• Both parameters should be returned.

• Uname should return a kernel version 4.9 or higher.

Enable BBR Support:

0640 root root /etc/sysctl.d/10-custom-kernel-bbr.conf

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

Reboot the system to apply changes.

Note

Before and after performance may tested using iperf

On BBR Server: iperf -s.

On Client: iperf -c {SERVER} -i 2 -t 30.

Setup Automatic Updates & Upgrades

0644 root root /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        "${distro_id}ESM:${distro_codename}";
        "${distro_id}:${distro_codename}-updates";
};
Unattended-Upgrade::Origins-Pattern {
        "origin=*";
};
Unattended-Upgrade::Package-Blacklist {
};
Unattended-Upgrade::AutoFixInterruptedDpkg "True";
Unattended-Upgrade::MinimalSteps "True";
Unattended-Upgrade::InstallOnShutdown "False";
Unattended-Upgrade::Mail "root";
Unattended-Upgrade::MailOnlyOnError "True";
Unattended-Upgrade::Remove-Unused-Dependencies "True";
Unattended-Upgrade::Automatic-Reboot "True";
Unattended-Upgrade::Automatic-Reboot-Time "05:00";
Acquire::http::Dl-Limit "0";

0644 root root /etc/apt/apt.conf.d/10periodic

APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Verbose "0";

Restart unattended upgrades.

systemctl restart unattended-upgrades

Remove Extraneous MOTD’s

Default login messages do not add value to login. Disable ubuntu login messages.

Disable MOTD’s that do not add value on login.

chmod a-x /etc/update-motd.d/10-help-text
chmod a-x /etc/update-motd.d/50-landscape-info
chmod a-x /etc/update-motd.d/50-motd-news
chmod a-x /etc/update-motd.d/50-landscape-sysinfo
chmod a-x /etc/update-motd.d/80-livepatch

Add MOTD to warn if the system has been up for a long period of time:

0755 root root /etc/update-motd.d/98-reboot-required

#!/bin/bash
DAYS_BEFORE_PROMPT=21
uptime=$(</proc/uptime)
uptime=${uptime%%.*}
days=$(( uptime/60/60/24 ))

if [ ${days} -gt ${DAYS_BEFORE_PROMPT} ]; then
  echo "System up for ${days} days. Perhaps a manual update, upgrade & reboot is in order?"
fi

if [ -x /usr/lib/update-notifier/update-motd-reboot-required ]; then
  exec /usr/lib/update-notifier/update-motd-reboot-required
fi

Setup Skeleton User Profile

Copy the following configuration files to system, these are preconfigured preferences.

Setup /etc/skel directory and copy files.

rm /etc/skel/.profile
mkdir /etc/skel/.ssh /etc/skel/bin
chmod 0700 /etc/skel/.ssh /etc/skel/bin
chmod -Rv go-rwx /etc/skel/

Note

Pre-configured user skeleton files are here:

• .bashrc

• .bash_profile

• .bash_logout

• .vimrc

• .tmux.conf

These will need to be manually added to pre-existing accounts (e.g. root and the initial user).

Update UFW Rules

Uncomplicated FireWall is setup by default in 18.04. Consideration should be made on whether to keep this or disable this.

Allow a well-known service.

ufw allow ssh

Get current status.

ufw status
ufw status verbose

Disable UFW.

ufw disable

Adding Custom Fonts

Fonts must be imported for use in applications, such as sublime text.

Note

fc-cache added a .uuid file generation on updating font caches, leading to problems with state management. This change is likely to be reverted for better configuration management support.

See: https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/130

Install font management tools.

apt install fontconfig

Copy fonts to /usr/local/share/fonts/, set appropriate permissions, and refresh the font cache.

find /usr/local/share/fonts -type f -exec chown root:staff {} \;
find /usr/local/share/fonts -type d -exec chmod o+rx {} \;
fc-cache -f -v
fc-list

Creating an Encrypted Volume

The options specified here are the default encryption settings for ubuntu during installation and not the most secure encryption. See References.

Find the new block device and setup encryption.

lsblk
cryptsetup luksFormat --hash=sha256 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/{BLOCK DEVICE}

Create the LVM physical volume, volume group and logical volume.

cryptsetup luksOpen /dev/{BLOCK DEVICE} {BLOCK DEVICE}_crypt
pvcreate /dev/mapper/{BLOCK DEVICE}_crypt
vgcreate data_vol_group /dev/mapper/{BLOCK DEVICE}_crypt
lvcreate -n encrypted_data -l +100%FREE data_vol_group

Format and mount the encrypted volume to /data.

mkfs.ext4 -m 0 /dev/data_vol_group/encrypted_data
mkdir /data
mount /dev/data_vol_group/encrypted_data /data

Find the ROOT device UUID (/dev/{BLOCK DEVICE}).

blkid

Add device to crypttab and fstab. System will require a password to boot:

0644 root root /etc/crypttab

xvdb_crypt UUID={UUID FROM XVDB} none luks,discard

Note

Even though there are security issues related with using discard for SSD’s, it is preferred for lifespan and performance.

0644 root root /etc/fstab

/dev/mapper/data-data /data ext4 defaults 0 2

References

1. Manually changing a password on a dmcrypt / LUKS volume

2. Reseting a password on an encrypted FS

3. Howto change LUKS passphrase

4. Full encryption with LVM and LUKS

5. Mounting LVM partitions

6. Mounting LVM logical volumes

7. Mounting encrypted LUKS drive at boot