Recent Changes - Search:
TechNotes /

Magni3

Starting with Ubuntu 8.04 Server LTS.

  • Set the correct hostname in /etc/hosts and /etc/hostname
  • Configure time
    • Set the timezone: dpkg-reconfigure tzdata
  • Install ntpdate and openntpd
  • Start openntpd:
    /etc/init.d/openntpd start
  • Set the time:
    ntpdate sundial.columbia.edu
  • Set hardware clock to UTC with:
    hwclock --systohc --utc
  • Install all updates.
  • Install vim
  • Set vim as the default editor:
    update-alternatives --set editor /usr/bin/vim.basic
  • Enable vim syntax hilighting by uncommenting the "syntax on" line of /etc/vim/vimrc or, individual user .vimrc files.
  • Add admin user to admin group for sudo (gpasswd -a USER admin)
  • SSH Security
    • Protocol 2 (disable protocol 1)
    • [where possible] Use pre-shared keys
    • PermitRootLogin no
    • Uncomment: Banner /etc/issue.net (issue.net = Unauthorized access is prohibited.)
    • Move port
  • Create /etc/ftpusers and add a list of users who should not be allowed to connect with FTP and set it to 0600 perms. That should be everyone, since we will not be running an FTP server. This is just in case one gets installed somehow. Here is a starter list:
    adm
    bin
    daemon
    halt
    list
    logcheck
    lp
    mail
    man
    mysql
    news
    nobody
    ntpd
    postfix
    root
    shutdown
    sshd
    sync
    sys
    uucp
    voxel
    www-data
  • Root shell use notification - add this to /root/.bashrc:
    echo 'ALERT - Root Shell Access (SERVER NAME) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" admin@evermore.com
  • Change /etc/motd to include:

    This computer system is for the authorized use of authorized users only.
    All activity on this system is subject to monitoring and recording by
    authorized administrative personnel. Any information collected may be
    used and disclosed to other parties at the discretion of any system
    administrator.By using this system, you consent to these terms.
  • Disable unneeded groups/accounts
    To delete a user account: userdel name
    To delete a group: groupdel name
    To lock specific user accounts: /usr/sbin/usermod -L -s /bin/false user
    • sync
    • games
    • lp
    • news
    • uucp
    • proxy
    • backup
    • irc
    • gnats
  • Create ufw firewall
  • Enable kernel-level IP security.
    • In /etc/sysctl.conf, uncomment/add:
      net.ipv4.icmp_echo_ignore_broadcasts=1
      net.ipv4.tcp_syncookies=1
      net.ipv4.tcp_max_syn_backlog=2048
      net.ipv4.tcp_synack_retries=2
      net.ipv4.conf.default.accept_source_route=0
      net.ipv4.conf.default.forwarding=0
      net.ipv4.conf.default.accept_redirects=0
      net.ipv4.conf.all.log_martians=1
      net.ipv4.conf.lo.log_martians=1
      net.ipv4.conf.eth0.log_martians=1
      net.ipv4.icmp_ignore_bogus_error_responses=1
    • To get those options running immediately:
      echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
      echo 1 > /proc/sys/net/ipv4/tcp_syncookies
      echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
      echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
      echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
      echo 0 > /proc/sys/net/ipv4/conf/default/forwarding
      echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
      echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
      echo 1 > /proc/sys/net/ipv4/conf/lo/log_martians
      echo 1 > /proc/sys/net/ipv4/conf/eth0/log_martians
      echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  • Install sysv-rc-conf
  • Install and configure postfix for mail relaying (N.B.: this no longer works due to mail cluster configuration changes at the WSP see WebServerMailConfig). We want to do this fairly early since all kinds of stuff that we install later requires an MTA and, will cause exim4 to be installed automatically. Exim4 is then very difficult to replace with postfix.
    • /etc/postfix/main.cf:
      # TLS parameters
      tls_random_source = dev:/dev/urandom
      smtp_tls_loglevel = 2
      smtp_enforce_tls = no
      ...
      relayhost = mail.evermore.com
      ...
      smtp_sasl_auth_enable = yes
      smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
      smtp_sasl_security_options =
    • Edit /etc/mailname to a valid domain name (e.g. evermore.com)
    • Create /etc/postfix/sasl/sasl_passwd:
      mail.evermore.com someuser@evermore.com:someuserspassword
    • Make sure sasl_passwd is set 600 and owned by root.root
    • Execute: sudo postmap /etc/postfix/sasl/sasl_passwd
    • Create /etc/postfix/transport: smtp:[mail.evermore.com]
    • Restart postfix
  • Set root to an appropriate email address in /etc/aliases, run newaliases
  • Install mutt
  • Install mailutils
  • Install tiger
    • Add a line to /usr/lib/tiger/systems/Linux/2/gen_mounts around line 100 to stop messages about SecurityFS not being a recognized file system (see this bug for details):
      [ "$1" = "securityfs" ] && LOCAL=0
  • Install logcheck
  • Install chkrootkit
  • Install procinfo
  • Install acct
  • Install and configure storage-usage.sh
    • Copy to /usr/local/bin
    • Crontab: 10 1 * * 1 /usr/local/bin/storage-usage.sh >/dev/null
  • Install and configure updatecheck.sh
    • Copy to /usr/local/bin
    • Crontab: 15 0 * * * /usr/local/bin/updatecheck.sh >/dev/null
  • Install /usr/local/etc/skel files
    • authorized_keys
    • domain.tld (update with main shared IP)
  • Install /usr/local/bin/createuser.sh
    • Modify line near the end to use the appropriate shared IP by default.
  • Install mailman
  • Install PHP
    • php5
    • php5-cli
    • php-mail-mime
    • php5-curl
    • php5-gd
    • php5-imagick
    • php5-mcrypt
    • php5-mysql
    • php5-dev (required for building PECL packages)
    • Install standard includes
  • Configure PHP (/etc/php/apache2/php.ini)
    • expose_php = Off
    • zlib.output_compression = On
    • max_execution_time = 120
    • display_errors = Off
    • log_errors = On
    • error_log = /var/log/php/php_errors.log
    • post_max_size = 50M
    • magic_quotes_gpc = Off
    • include_path = ".:/usr/share/php"
    • upload_max_filesize = 50M
    • Dynamic Extensions
      • extension=fileinfo.so
      • extension=imagick.so
      • extension=mcrypt.so
    • date.timezone = America/Phoenix
  • Install Fileinfo for ECMS2 support
    • Install libmagic1
    • Install libmagic-dev
    • Install make
    • pecl install Fileinfo
  • Configure Apache
    • /etc/apache2/apache2.conf
      • TypesConfig /etc/mime.types (?)
      • Add log format for benchmarking:
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T" combinedplus
      • ServerTokens Prod
      • ServerSignature Off
      • Disable trace to kill a PCI scan warning:
        TraceEnable Off
    • /etc/apache2/mods-available/alias.conf
      • Remove Indexes from the Options list for the icons folder for PCI compliance
    • Enable rewrite and SSL modules by linking them in /etc/apache2/mods-enabled from /etc/apache2/mods-available.
    • Configure virtual host apache log rotation for logrotate.
  • Install webalizer
  • Install MySQL
  • Check for open ports with netstat -tulp
  • Assign additional IPs to loopback interfaces. Note that this will require a server reboot. Restarting networking is unreliable.
    auto lo:1
    iface lo:1 inet static
    address xxx.xxx.xxx.xxx
    netmask 255.255.255.255