I run playbooks related to the server’s purpose, especially the “common” one. Usually I use Debian.

• Install my favorite tools (vim, zsh, htop, glances, sudo, rsync, ufw) + their configuration
• Install common dependencies required most of the time (git, build-essential)
• Configure the mail server (postfix)
• Install most of the debug tools I’ve used in my life, just in case (lsof, gdb, iotop, slurm, strace)
• Harden SSH login
• Setup fail2ban
• Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/backup)
• Configure time-related stuff (tzdata, ntp, setting the time zone)
• Setup terminal auto-logout after a few minutes of inactivity
• Set a random root password (for console login only)

For all other roles, usually they start with ufw configuration, install the matching packages (+ the dbg packages when available, they can prove invaluably useful once every two years) and write the project-independant configuration files.

To share my own, there are a few things I do for every server that I spin up:

• I block incoming connections on all ports except SSH by default.
• Upgrade all installed packages
• Install a few packages like git and htop
• Disable the root account
• Enable Byobu

Here it is as an Ansible task on GitHub.

Let’s share my classic procedure for spin up:

• apt-get update && apt-get -y upgrade && apt-get -y full-upgrade
• Enable UFW and allow only SSH default
• Install zsh instead of bash
• Install git and copy development ssh keys
• Configure timezone and install ntp
• Config SSH to allow only key auth and PermitRootLogin no

As of now I would add Byobu, so good thing.
Maybe Initial Server guide should be updated with PermitRootLogin, timezone and ntp.

Also, I don’t know to use Ansible or any other management systems, but I started researching Ansible :)

create a user

• set a password
• give him sudo rights
• copy public key to authorized_keys

configure sshd

• disable root login
• disable password login
• restart sshd

test login with user and sudo to root

update everything

reboot

install etckeeper

• etckeeper init
• etckeeper commit -m initial

install vim-enhanced

My Ubuntu 16.04 server setup procedures:

• Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes).
• Disable all outbound traffic except for port 80. (Because paranoia)
• Create a new user and disable the root user
• Configure SSH to only allow key-based authentication.
• Upload and sync my SSH keys.
• Install git, screen, letsencrypt (I normally use DO for webservers), and Nginx.
• Install node (usually) with these steps:
• - apt install npm # Installs current repository version of node & npm.
• - npm i -g n # Install n, a great and simple node version manager.
• - n latest # Update to the latest version of node.

I do a lot, currently have WordPress, Django and a Nodejs running on the same droplet. However, my First 5 moves in early seconds after creating a droplet are these:

• Create new user with sudo
• Enable SSH login for user
• Disable password login for droplet
• Install and enable ufw (allow out and incoming port 443, 80 and 22).
• Install and config fail2ban

After the above steps, I can take a break.

About a year ago, I had a bash script that I would scp to the new server, run as root to do a few different tasks and create my personal user, then su to that user and finish up. It’s a mess of case statements for CentOS 6, CentOS 7, and Ubuntu, so I needed something better. :)

Over the last three or four months, I’ve been learning Ansible and it’s pretty easy to pick up. I have roles that do each of the following:

1. Set the timezone to UTC.
2. Install all updates.
3. Install NTP.
4. Set up SSH server: disable password authentication and root login.
5. Install Fail2ban.
6. Install vnstat.
7. Install various other extra packages: dig, git, htop, iftop, iotop, mtr, ncdu, nmap, screen, sysstat, tcpdump, tig, tree, unzip, vim, zsh.
8. Set up a non-root user: SSH keys, git and other configuration files, sudo access.

A firewall role definitely needs added in there. I’m sure there are roles on Ansible Galaxy for most or all of the things I’m doing, but I learned it a lot better by writing my own and studying others’.

I create my user, run my bash script for new VPSes, then add it’s IP to my DNS records.

script: https://github.com/benyanke/configScripts/blob/master/basicVpsSetupList.sh

Then, if it’s a lamp server, I install Let’s Encrypt.

I could tell you but to ensure server security, I can’t

Debian preferred:

• apt-get update; apt-get -f dist-upgrade
• install custom grsec kernel from my own repository
• apply custom firewall, deny everything, allow SSH only from my static IP
• reboot

That’s it. Less than 5 minutes.