asb
By:
asb

What do you do with your first five minutes on a new server?

August 26, 2016 14.9k views
Getting Started Security Linux Basics

What are the things you do every time you log into a new Droplet for the first time? I'm always curious about how other people approach this. If you were to write your own Initial Server Setup guide, what would it include?

  • What do you do you lock down and secure your server?
  • What are the tools and utilities that you can't live without that aren't included in the default install?

Have you automated it? Share your user-data script, Ansible playbook, or your own aproach.

5 comments
  • install tmux
    in iptables restrict ssh port to my office
    update all packages & reboot
    add new user with sudo and a public key
    alter sshd_config to disable root login, and to require public key for all users

    • Drop in ssh keys
    • Disable ssh password login and root login
    • install git
    • checkout my dot files from git
    • install vim
    • install tmux
    • disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces
    • update os/tools to latest/desired versions
    • install sudo and sudo-pam-auth. Configure it to work wi h ssh keys
    • enjoy
  • Chef bootstrap :)

  • apt-get install mc ncdu iftop htop iotop gcc make git screen

    • ossec + ssh tweaks + iptables + exim as a relay to send alerts to my mail in a box
  • Install Updates
    Setup SSH configuration
    Restart

29 Answers

I run playbooks related to the server's purpose, especially the "common" one. Usually I use Debian.

  • Install my favorite tools (vim, zsh, htop, glances, sudo, rsync, ufw) + their configuration
  • Install common dependencies required most of the time (git, build-essential)
  • Configure the mail server (postfix)
  • Install most of the debug tools I've used in my life, just in case (lsof, gdb, iotop, slurm, strace)
  • Harden SSH login
  • Setup fail2ban
  • Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/backup)
  • Configure time-related stuff (tzdata, ntp, setting the time zone)
  • Setup terminal auto-logout after a few minutes of inactivity
  • Set a random root password (for console login only)

For all other roles, usually they start with ufw configuration, install the matching packages (+ the dbg packages when available, they can prove invaluably useful once every two years) and write the project-independant configuration files.

To share my own, there are a few things I do for every server that I spin up:

  • I block incoming connections on all ports except SSH by default.
  • Upgrade all installed packages
  • Install a few packages like git and htop
  • Disable the root account
  • Enable Byobu

Here it is as an Ansible task on GitHub.

Byobu is an easy-to-use wrapper around the tmux (or screen) terminal multiplexer. This means that it makes it easy for you to open multiple windows and run multiple commands within a single terminal connection. This tutorial will cover how to install and configure Byobu as well as how to use its most common features.

Let's share my classic procedure for spin up:

  • apt-get update && apt-get -y upgrade && apt-get -y full-upgrade
  • Enable UFW and allow only SSH default
  • Install zsh instead of bash
  • Install git and copy development ssh keys
  • Configure timezone and install ntp
  • Config SSH to allow only key auth and PermitRootLogin no

As of now I would add Byobu, so good thing.
Maybe Initial Server guide should be updated with PermitRootLogin, timezone and ntp.

Also, I don't know to use Ansible or any other management systems, but I started researching Ansible :)

create a user

  • set a password
  • give him sudo rights
  • copy public key to authorized_keys

configure sshd

  • disable root login
  • disable password login
  • restart sshd

test login with user and sudo to root

update everything

reboot

install etckeeper

  • etckeeper init
  • etckeeper commit -m initial

install vim-enhanced

  • I had forgotten about etckeeper! I think I'll have to bring that back into my toolkit.

My Ubuntu 16.04 server setup procedures:

  • Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes).
  • Disable all outbound traffic except for port 80. (Because paranoia)
  • Create a new user and disable the root user
  • Configure SSH to only allow key-based authentication.
  • Upload and sync my SSH keys.
  • Install git, screen, letsencrypt (I normally use DO for webservers), and Nginx.
  • Install node (usually) with these steps:
  • - apt install npm # Installs current repository version of node & npm.
  • - npm i -g n # Install n, a great and simple node version manager.
  • - n latest # Update to the latest version of node.

I do a lot, currently have WordPress, Django and a Nodejs running on the same droplet. However, my First 5 moves in early seconds after creating a droplet are these:

  • Create new user with sudo
  • Enable SSH login for user
  • Disable password login for droplet
  • Install and enable ufw (allow out and incoming port 443, 80 and 22).
  • Install and config fail2ban

After the above steps, I can take a break.

About a year ago, I had a bash script that I would scp to the new server, run as root to do a few different tasks and create my personal user, then su to that user and finish up. It's a mess of case statements for CentOS 6, CentOS 7, and Ubuntu, so I needed something better. :)

Over the last three or four months, I've been learning Ansible and it's pretty easy to pick up. I have roles that do each of the following:

  1. Set the timezone to UTC.
  2. Install all updates.
  3. Install NTP.
  4. Set up SSH server: disable password authentication and root login.
  5. Install Fail2ban.
  6. Install vnstat.
  7. Install various other extra packages: dig, git, htop, iftop, iotop, mtr, ncdu, nmap, screen, sysstat, tcpdump, tig, tree, unzip, vim, zsh.
  8. Set up a non-root user: SSH keys, git and other configuration files, sudo access.

A firewall role definitely needs added in there. I'm sure there are roles on Ansible Galaxy for most or all of the things I'm doing, but I learned it a lot better by writing my own and studying others'.

I create my user, run my bash script for new VPSes, then add it's IP to my DNS records.

script: https://github.com/benyanke/configScripts/blob/master/basicVpsSetupList.sh

Then, if it's a lamp server, I install Let's Encrypt.

I could tell you but to ensure server security, I can't

Debian preferred:

  • apt-get update; apt-get -f dist-upgrade
  • install custom grsec kernel from my own repository
  • apply custom firewall, deny everything, allow SSH only from my static IP
  • reboot

That's it. Less than 5 minutes.

Initial security items:

  1. scp public key into root account's authorized_keys
  2. Disable password authentication
  3. Change ssh port to (some memorable non-default port)
  4. Restart sshd
  5. Install Fail2Ban and ensure it's setup to monitor ssh logs
  6. Enable ufw (or setup default deny-all iptables rules, depending on the distro)
  7. Reset root user's password
  8. Create new, non-root user account
  9. scp public key into non-root user's authorized_keys file
  10. Ensure non-root user can login via ssh, and escalate to root with password, in separate ssh session (still logged in on prior session to correct where needed)
  11. Disable root login via ssh (locking down to only allow the non-profit user created earlier
  12. Add new server access info as an alias to local workstation's ssh config

Security is good enough for now, on to admin preferences. Clone dotfiles and install associated packages, opening up ports where necessary per package.

  • Disable root login
  • Setup SSH configuration
  • Install updates
  • Install vim, htop, unzip

Get oh-my-zsh, install vim with janus

I install lamp on debian.
Then I install certbot
Then I disable ping and close all ports but not 80 and 443.

I have created a shell script which does the following tasks. I ran it so the basic setup of the server is done. It does take more then 5 min to run it.. LOL

  1. create a user and set its permissions and authentication key.
  2. disable root login.
  3. update system apt.
  4. install linuxbrew

change default password
create a new user
install apache

update packages, create a user, set ssh with key authentication, set my pubkey for my user, install fwknop and close all ports including ssh, open a beer :)

Automat.apk will show you what did you do before and fixed it

I rsync my custom install package, type: setup.sh and then go get coffee.

If I use SaltStack on server, then I do nothing if I have configured to do highstate automatically or I do salt-call state.highstate manually if not.

If I don't use SaltStack on that server, firstly I do yum install -y epel-release; yum install -y vim iftop iotop perftools strace tcpdump screen and few others :D

  • Salt is awesome but it relies on a master correct? What happens if your master is not available you can no longer do a highstate.

    • Salt is awesome but it relies on a master correct?

      The answer is: "Yes and no".

      You can have:
      a) master/minion config — which is what you said — minion needs remote master to work
      b) masterless config — you can put states and pillar right inside your server and use it directly without master
      c) you can use salt-ssh which works just like an Ansible. It logs into host, copies itself into it and executes defined states.

      Since you said here "I execute setup.sh", it could be easier and better for you to use salt-ssh ;)

@tgwaste

I think I like your approach the best. Can you elaborate a little more?

apt-get update
apt-get upgrade
apt-get tmux vim lynx wget gdebi-core ufw
ufw allow ssh
ufw enable

And after that, it depends what the server's going to be used for.

Install python-minimal to run Ansible.

Have another answer? Share your knowledge.