Post

Things to do on a fresh linux installation

Posted
By Dany
2 min read

Create new sudo user

First we create the user

1

sudo adduser madman

Then add it to sudoers

1

sudo usermod -aG sudo madman

Now we check if the user can run all commands

1

sudo -l -U madman

Disable root login

We can disable root logins with this command

1

sudo passwd -l root

This will lock the password for the root user and you won’t be able to access the root account with its password until a new one is set.

Update and Upgrade the system

1

sudo apt-get update -y && sudo apt-get upgrade -y

It’s important to reboot the server after this step.

Configure Automatic Upgrades

First install unattended-upgrades

1

sudo apt-get install unattended-upgrades

Then we reconfigure it

1

sudo dpkg reconfigure --priority=low unattended-upgrades

Then we can check the config file

1

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Install SSH server & configure key-based authentication

Install ssh server

We use openssh-server as our ssh-server

1

sudo apt-get install openssh-server

Configure key based authentication

Now we have to create an ssh key-pair on the client machine. to do that we have to run this command:

1

ssh-keygen -t ed25519

If the client machine is a legacy system that doesn’t support the Ed25519 algorithm, use:

1

ssh-keygen -t rsa -b 4096

Basically the key based authentication works by copying the client’s ssh public key to the server’s authorized_keys file.

To do this the easy way we just run this simple command:

1

ssh-copy-id <user>@<server-address>

This will automatically copy the client’s public key to the server’s trusted keys over ssh connection.

If we want to do this manually we have to copy the contents of the client’s public key to the server’s authorized_keys file.

On the client machine:

1

cat ~/.ssh/id_rsa.pub

and we copy the output. Then on the server:

1

nano ~/.ssh/authorized_keys

paste and we’re done.

Disable password based authentication

Now that we have enabled key-based authentication it’s logical that we disable password-based authentication for extra security.

To do this have to edit the ssh daemon configuration file.

1

sudo nano /etc/ssh/sshd_config

Uncomment these 2 fields and set them to no:

1
2

PasswordAuthentication no
ChallengeResponseAuthentication no

Also to disable root account login:

1

PermitRootLogin no

Now we restart ssh daemon

1

sudo systemctl restart sshd

Configure Static IP

1

sudo nano /etc/netplan/01-netcfg.yaml

1
2
3
4
5
6
7
8
9
10
11

network:
  version: 2
  renderer: networkd
  ethernets:
    ens18:
     dhcp4: no
     addresses:
        - 192.168.0.222/24
     gateway4: 192.168.0.1
     nameservers:
       addresses: [192.168.0.4]

apply the settings

1

sudo netplan apply

Hostname

Check the current hostname:

1

hostnamectl

Change hostname to rocketship

1

sudo hostnamectl set-hostname rocketship

Must also change in this file:

1

sudo nano /etc/hosts

Timezone

Check timezone:

1

timedatectl

Change the timezone:

1

sudo timedatectl set-timezone America/Chicago

Change with menu:

1

sudo dpkg-reconfigure tzdata

Firewall

Allow outgoing traffic by default:

1

sudo ufw default allow outgoing

Deny incoming traffic by default:

1

sudo ufw default deny incoming

Allow ssh service:

1

sudo ufw allow ssh

Enable the firewall:

1

sudo ufw enable

Check status:

1

sudo ufw status
Linux, Ubuntu
linux-preparation
This post is licensed under CC BY 4.0 by the author.