# Fresh Ubuntu Server Installation
Ubuntu 20.04
### 0. Install with manual partition
[Make Partition](https://blog.gtwang.org/linux/parted-command-to-create-resize-rescue-linux-disk-partitions/)
:::danger
Make sure that the root (/) and the home (/home) are mounted on different disk partitions.
This will prevent the user to fill up the disk and meltdown the whole system.
:::
### 1. Lock root account
:::info
Make sure you already have another administrative user on the system with root or “sudo” privileges before locking the root user.
:::
```bash
sudo passwd -l root
```
### 2. Change Time Zone
```bash
sudo timedatectl set-timezone Asia/Taipei
```
### 3. Setup Firewall (ufw)
:::info
We deny all connection except ssh and ftp in this example. Please consider which service is allow on your server yourself.
:::
```bash=
# deny all incoming
sudo ufw default deny
# allow ssh with brute force protection (ban ip with 6 times invalid password in 30 seconds)
sudo ufw limit ssh
# allow ftp
sudo ufw allow ftp
# enable logs with low level, stores in /var/log/ufw.log
sudo ufw logging on
sudo ufw logging low
```
* Check your current firewall setup with `sudo ufw status verbose`
### 4. Setup Static IP
```bash
sudo vim /etc/netplan/*.yaml
```
```yaml=
# This is the network config written by 'subiquity'
network:
ethernets:
enp3s0:
addresses: [yourIP/24]
gateway4: yourGateway
nameservers:
addresses: [yourDNS1, yourDNS2]
dhcp4: no
version: 2
```
:::warning
Here make sure the NID name(e.g. enp3s0) is same as the result you got from `ip a`.
:::
```bash
sudo netplan apply
```
### 4.5 Check if you can ssh from remote
If true, then you can leave the server room now.
==Congratulations== 🥳
### 5. System Upgrade
```bash
sudo apt update
sudo apt upgrade -y
```
### 6. Install Common Monitoring Tools
```bash
sudo apt install iftop iotop
```
### 7. Setup Disk S.M.A.R.T. Monitoring Tool and Alert
We use ==smartmontools== to schedule the disk health monitoring and send the email to administrator when failure occurs.
[[Reference]](https://help.ubuntu.com/community/Smartmontools#Advanced:_Running_as_Smartmontools_as_a_Daemon)
```bash
sudo apt install smartmontools
```
#### Setup schedule for smartmontools
```bash
sudo vim /etc/smartd.conf
```
Comment out the line similar to:
```bash
DEVICESCAN -d removable -n standby -m root -M exec /usr/share/smartmontools/smartd-runner
```
Add the lines below at the end of ==/etc/smartd.conf==
```bash=
/dev/sda -H -l error -l selftest -f -s (O/../../6/4|S/../[15-21]/7/4|L(03|06|09|12)/[01-07]/7/22) \
-m admin@example.com -M exec /usr/share/smartmontools/smartd-runner
```
Explaination:
* /dev/sda: put on every disk you want to monitor.
For example:
/dev/sda /dev/sdb /dev/sdc
* (O/$..$/$..$/6/04|S/$..$/15/$.$/04|L(03|06|09|12)/01/$.$/22): routine schedule
The line above can be translated as:
1. Schedule an offline test every Saturday at 4~5 a.m.
2. Schedule an short self-test between 4~5 a.m. on the 15th of each month
3. Schedule an long self-test between 10~11 p.m. on the 1th of every three month
* How To
* Schedule format: ==T/MM/DD/d/HH==
* Variable
* T (Type):
* O: Offline Immediate Test (ATA only)
* S: Short self-test
* L: Long self-test
* C: Conveyance Self-Test (ATA only)
To find estimate time for each type of test on specific disk
`sudo smartctl -c /dev/sda `
* MM (month of the year)
* DD (date of the month)
* d (day of the week)
* HH (hour of the day)
* Regular expression
* A dot '.' matches any single character
* A parenthetical expression such as '(A|B|C)' denotes any one of the three possibilities A, B, or C.
### 8. Install & Setup Audit (Important)
==Log all sudo commands==
```bash=
sudo apt install auditd audispd-plugins
sudo echo "sudo auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd" >> /etc/audit/rules.d/audit.rules
sudo echo "sudo auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd" >> /etc/audit/rules.d/audit.rules
sudo systemctl restart auditd
```
* [Log Parser](https://github.com/xtorker/replayUserAudit)
download it and execute it with sudo
### 9. Docker & Nvidia-docker (with remap user namespace)
[[Reference]](https://docs.docker.com/engine/security/userns-remap/)
1. Install docker & nvidia-docker following the tutorials
2. Remap user namespace
`sudo vim /etc/docker/daemon.json`
make it like the below
```json=
{
"runtimes": {
"nvidia": {
"path": "nvidia-container-runtime",
"runtimeArgs": []
}
},
"userns-remap": "default"
}
```
3. Add docker group
`sudo usermod -aG docker $username`
4. Test
```shell=
docker run --rm -it busybox /bin/sh
## in the container shell
/ # whoami
root
/ # sleep 60
## check outside the container (on host)
ps -fC sleep
## If the sleep command is not running with uid 0 (root), then you are done. Yeah~
```
### 10. Install & Setup ClamAV (Optional)
[[Reference]](https://aaronbrighton.medium.com/installation-configuration-of-clamav-antivirus-on-ubuntu-18-04-a6416bab3b41)
[[Reference]](https://wiki.archlinux.org/index.php/ClamAV#Run_in_multiple_threads)
```bash=
sudo apt install clamav clamav-daemon
sudo systemctl enable clamav-daemon
sudo systemctl start clamav-daemon
```
#### Add into cron task
```bash=
sudo mkdir /root/quarantine
echo "0 3 * * sat root /usr/bin/clamdscan --multiscan --fdpass --log=/var/log/clamav/clamdscan.log --move=/root/quarantine /" | sudo tee /etc/cron.d/clamdscan
```
This will make the server scan at 3 a.m. every Saturday.
If you want to choose different frequence, plz refer to [here](https://linux.die.net/man/5/crontab).
#### Exclude some directories from scanning
```bash=
printf "ExcludePath ^/proc\nExcludePath ^/sys\nExcludePath ^/run\nExcludePath ^/dev\nExcludePath ^/snap\nExcludePath ^/var/lib/lxcfs/cgroup\nExcludePath ^/root/quarantine\n" | sudo tee -a /etc/clamav/clamd.conf
```
#### Adjust some parameters in /etc/clamav/clamd.conf
`sudo vim /etc/clamav/clamd.conf`
enlarge "MaxThreads" and "MaxRecursion", then
`sudo systemctl restart clamav-daemon`