# Fresh Ubuntu Server Installation Ubuntu 20.04 ### 0. Install with manual partition [Make Partition](https://blog.gtwang.org/linux/parted-command-to-create-resize-rescue-linux-disk-partitions/) :::danger Make sure that the root (/) and the home (/home) are mounted on different disk partitions. This will prevent the user to fill up the disk and meltdown the whole system. ::: ### 1. Lock root account :::info Make sure you already have another administrative user on the system with root or “sudo” privileges before locking the root user. ::: ```bash sudo passwd -l root ``` ### 2. Change Time Zone ```bash sudo timedatectl set-timezone Asia/Taipei ``` ### 3. Setup Firewall (ufw) :::info We deny all connection except ssh and ftp in this example. Please consider which service is allow on your server yourself. ::: ```bash= # deny all incoming sudo ufw default deny # allow ssh with brute force protection (ban ip with 6 times invalid password in 30 seconds) sudo ufw limit ssh # allow ftp sudo ufw allow ftp # enable logs with low level, stores in /var/log/ufw.log sudo ufw logging on sudo ufw logging low ``` * Check your current firewall setup with `sudo ufw status verbose` ### 4. Setup Static IP ```bash sudo vim /etc/netplan/*.yaml ``` ```yaml= # This is the network config written by 'subiquity' network: ethernets: enp3s0: addresses: [yourIP/24] gateway4: yourGateway nameservers: addresses: [yourDNS1, yourDNS2] dhcp4: no version: 2 ``` :::warning Here make sure the NID name(e.g. enp3s0) is same as the result you got from `ip a`. ::: ```bash sudo netplan apply ``` ### 4.5 Check if you can ssh from remote If true, then you can leave the server room now. ==Congratulations== 🥳 ### 5. System Upgrade ```bash sudo apt update sudo apt upgrade -y ``` ### 6. Install Common Monitoring Tools ```bash sudo apt install iftop iotop ``` ### 7. Setup Disk S.M.A.R.T. Monitoring Tool and Alert We use ==smartmontools== to schedule the disk health monitoring and send the email to administrator when failure occurs. [[Reference]](https://help.ubuntu.com/community/Smartmontools#Advanced:_Running_as_Smartmontools_as_a_Daemon) ```bash sudo apt install smartmontools ``` #### Setup schedule for smartmontools ```bash sudo vim /etc/smartd.conf ``` Comment out the line similar to: ```bash DEVICESCAN -d removable -n standby -m root -M exec /usr/share/smartmontools/smartd-runner ``` Add the lines below at the end of ==/etc/smartd.conf== ```bash= /dev/sda -H -l error -l selftest -f -s (O/../../6/4|S/../[15-21]/7/4|L(03|06|09|12)/[01-07]/7/22) \ -m admin@example.com -M exec /usr/share/smartmontools/smartd-runner ``` Explaination: * /dev/sda: put on every disk you want to monitor. For example: /dev/sda /dev/sdb /dev/sdc * (O/$..$/$..$/6/04|S/$..$/15/$.$/04|L(03|06|09|12)/01/$.$/22): routine schedule The line above can be translated as: 1. Schedule an offline test every Saturday at 4~5 a.m. 2. Schedule an short self-test between 4~5 a.m. on the 15th of each month 3. Schedule an long self-test between 10~11 p.m. on the 1th of every three month * How To * Schedule format: ==T/MM/DD/d/HH== * Variable * T (Type): * O: Offline Immediate Test (ATA only) * S: Short self-test * L: Long self-test * C: Conveyance Self-Test (ATA only) To find estimate time for each type of test on specific disk `sudo smartctl -c /dev/sda ` * MM (month of the year) * DD (date of the month) * d (day of the week) * HH (hour of the day) * Regular expression * A dot '.' matches any single character * A parenthetical expression such as '(A|B|C)' denotes any one of the three possibilities A, B, or C. ### 8. Install & Setup Audit (Important) ==Log all sudo commands== ```bash= sudo apt install auditd audispd-plugins sudo echo "sudo auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd" >> /etc/audit/rules.d/audit.rules sudo echo "sudo auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd" >> /etc/audit/rules.d/audit.rules sudo systemctl restart auditd ``` * [Log Parser](https://github.com/xtorker/replayUserAudit) download it and execute it with sudo ### 9. Docker & Nvidia-docker (with remap user namespace) [[Reference]](https://docs.docker.com/engine/security/userns-remap/) 1. Install docker & nvidia-docker following the tutorials 2. Remap user namespace `sudo vim /etc/docker/daemon.json` make it like the below ```json= { "runtimes": { "nvidia": { "path": "nvidia-container-runtime", "runtimeArgs": [] } }, "userns-remap": "default" } ``` 3. Add docker group `sudo usermod -aG docker $username` 4. Test ```shell= docker run --rm -it busybox /bin/sh ## in the container shell / # whoami root / # sleep 60 ## check outside the container (on host) ps -fC sleep ## If the sleep command is not running with uid 0 (root), then you are done. Yeah~ ``` ### 10. Install & Setup ClamAV (Optional) [[Reference]](https://aaronbrighton.medium.com/installation-configuration-of-clamav-antivirus-on-ubuntu-18-04-a6416bab3b41) [[Reference]](https://wiki.archlinux.org/index.php/ClamAV#Run_in_multiple_threads) ```bash= sudo apt install clamav clamav-daemon sudo systemctl enable clamav-daemon sudo systemctl start clamav-daemon ``` #### Add into cron task ```bash= sudo mkdir /root/quarantine echo "0 3 * * sat root /usr/bin/clamdscan --multiscan --fdpass --log=/var/log/clamav/clamdscan.log --move=/root/quarantine /" | sudo tee /etc/cron.d/clamdscan ``` This will make the server scan at 3 a.m. every Saturday. If you want to choose different frequence, plz refer to [here](https://linux.die.net/man/5/crontab). #### Exclude some directories from scanning ```bash= printf "ExcludePath ^/proc\nExcludePath ^/sys\nExcludePath ^/run\nExcludePath ^/dev\nExcludePath ^/snap\nExcludePath ^/var/lib/lxcfs/cgroup\nExcludePath ^/root/quarantine\n" | sudo tee -a /etc/clamav/clamd.conf ``` #### Adjust some parameters in /etc/clamav/clamd.conf `sudo vim /etc/clamav/clamd.conf` enlarge "MaxThreads" and "MaxRecursion", then `sudo systemctl restart clamav-daemon`