Recent Changes - Search:
TechNotes /

FileServer

Starting with Ubuntu 10.04 (Lucid Lynx) Server LTS.

  • Install all updates.
  • Configure time
    • Set the timezone: dpkg-reconfigure tzdata
    • Set the time:
      ntpdate sundial.columbia.edu
    • Set hardware clock to UTC with:
      hwclock --systohc --utc
    • Install ntpdate and openntpd
    • Start openntpd:
      /etc/init.d/openntpd start
  • Make sure main file system (where /home will be) mounts with the acl and user_xattr options (in /etc/fstab). These are necessary to allow for extended file attributes for Samba.
  • Remove unneeded packages (none found).
  • Set vim as the default editor: update-alternatives --set editor /usr/bin/vim.basic
  • SSHD security
    • PermitRootLogin no
    • Uncomment: Banner /etc/issue.net (issue.net = Unauthorized access is prohibited.)
  • Change /etc/issue to include:

    This computer system is for the authorized use of authorized users only.
    All activity on this system is subject to monitoring and recording by
    authorized administrative personnel. Any information collected may be
    used and disclosed to other parties at the discretion of any system
    administrator.By using this system, you consent to these terms.
  • Change /etc/update-motd.d/* as appropriate.
  • Create ufw firewall:
    • Allow existing SSH connection: ufw allow proto tcp from any to any port 22
    • ufw enable
    • ufw allow OpenSSH
    • ufw allow Postfix
    • ufw allow Samba
  • Install logcheck (and logcheck-database to get rules to filter out normal traffic)
  • Install tiger (configure to run via cron) - Tiger Home Page
  • Disable unneeded groups/accounts
    To delete a user account: userdel name
    To delete a group: groupdel name
    To lock specific user accounts: /usr/sbin/usermod -L -s /bin/false user
    • sync
    • games
    • lp
    • news
    • uucp
    • proxy
    • backup
    • irc
    • gnats
  • Create /etc/ftpusers and add a list of users who should not be allowed to connect with FTP and set it to 0600 perms. That should be everyone, since we will not be running an FTP server. This is just in case one gets installed somehow. Here is a starter list:
    adm
    bin
    daemon
    halt
    list
    logcheck
    lp
    mail
    man
    mysql
    news
    nobody
    ntpd
    postfix
    root
    shutdown
    sshd
    sync
    sys
    uucp
    www-data
  • Root shell use notification - add this to /root/.bashrc:
    echo 'ALERT - Root Shell Access (SERVER NAME) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" admin@evermore.com
  • Set .bash_history to append-only for all users:
    chattr +a /home/~/.bash_history
  • Install and configure postfix for mail relaying
    • /etc/postfix/main.cf:
      # TLS parameters
      tls_random_source = dev:/dev/urandom
      smtp_tls_loglevel = 2
      smtp_enforce_tls = no
      ...
      relayhost = mail.evermore.com
      ...
      smtp_sasl_auth_enable = yes
      smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
      smtp_sasl_security_options =
    • Create /etc/postfix/sasl/sasl_passwd:
      [mail.evermore.com] someuser@evermore.com:someuserspassword
    • Make sure sasl_passwd is set 600 and owned by root.root
    • Execute: sudo postmap /etc/postfix/sasl/sasl_passwd
    • Create /etc/postfix/transport: smtp:[mail.evermore.com]
    • Edit /etc/mailname to a valid domain name (e.g. evermore.com)
    • Restart postfix
  • Set root to an appropriate email address in /etc/aliases, run newaliases
  • Install mutt (mail client)
  • Install mailutils
  • Install and configure storage-usage.sh
  • Install and configure updatecheck.sh
  • Install and configure ConfigReport.sh
  • Install procinfo
  • Install chkconfig
  • Install acct
  • Configure Samba (Workgroup Config)
  • Install and configure Dirvish
  • Install clamav
  • Install avscan.sh
  • Install partimage
  • Back up the boot sector and use partimage to make an image of the /boot partition.