Server Quality of Life
- Initial Server Setup
Similar to the Workspace Quality of Life document that I created, I decided to write a similar document for manual configurations of new linux servers.
The following contains some utility scripts and hardening practices.
Although multiple tools exist for programmatic provisioning of virtual machines and infrastructure, this document will rely primarily on manual configuration using
For servers, I typically use a combination of Ubuntu and Debian, opting to use the stable or long term support variants.
The following setup instructions are intended for Rapid Access Cloud (RAC) but can be tooled for other cloud virtual machine providers with minimal changes.
These following instructions should be applicable to both operating systems, but assume Ubuntu, as the Debian image is not provided by default through RAC.
The documentation from Cybera is excellent and serves as a useful starting point for working with these virtual machines.
The quickstart default security group settings are modified slightly to lockdown inbound SSH to trusted IP addresses only.
|Direction||Ether Type||IP Protocol||Port Range||Remote IP Prefix||Remote Security Group||Notes|
|Egress||IPv6||Any||Any||::/0||-||No restrictions on outbound traffic.|
|Ingress||IPv4||ICMP||Any||0.0.0.0/0||-||Allow all incoming Internet Control Message Protocol traffic (ex:
Hardening is a practice of security to reduce the vulnerability of a system.
Various approaches for hardening exist and may depend on the tasks that the server will be used to perform.
Here are some of the common minimal steps that are done on my servers.
I use the default Cybera cloud image helper scripts that are provided in each new Ubuntu 18.04 instance.
These scripts can be ported to other cloud providers and on-site Linux systems.
A new user account should be created and used instead of the default
ubuntu VM user. The following will use my first name as the new user.
Follow the prompts to create the UNIX password and optionally enter user information like.
We want to use this user for secure shell and linux server maitainance operations with the server. Generate a local SSH key and add install it in the
Refer to the Useful SSH section for further instructions.
Backup the SSH daemon configuration file located at
/etc/ssh/sshd_config before making any changes.
Calling the SSH daemon with the extended test mode flag
-T will show the configuration details.
The following baseline settings are applied to my
Reload the SSH daemon and run the test mode flag
-t to ensure that no errors exist. Perform a sanity check by
sshing into the server with the new settings.
I like to use my logo as motd.
Contents of this file are shown to all users prior to executing the login shell.