I run playbooks related to the server’s purpose, especially the “common” one. Usually I use Debian.

• Install my favorite tools (vim, zsh, htop, glances, sudo, rsync, ufw) + their configuration
• Install common dependencies required most of the time (git, build-essential)
• Configure the mail server (postfix)
• Install most of the debug tools I’ve used in my life, just in case (lsof, gdb, iotop, slurm, strace)
• Harden SSH login
• Setup fail2ban
• Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/backup)
• Configure time-related stuff (tzdata, ntp, setting the time zone)
• Setup terminal auto-logout after a few minutes of inactivity
• Set a random root password (for console login only)

For all other roles, usually they start with ufw configuration, install the matching packages (+ the dbg packages when available, they can prove invaluably useful once every two years) and write the project-independant configuration files.

To share my own, there are a few things I do for every server that I spin up:

• I block incoming connections on all ports except SSH by default.
• Upgrade all installed packages
• Install a few packages like git and htop
• Disable the root account
• Enable Byobu

Here it is as an Ansible task on GitHub.

Let’s share my classic procedure for spin up:

• apt-get update && apt-get -y upgrade && apt-get -y full-upgrade
• Enable UFW and allow only SSH default
• Install zsh instead of bash
• Install git and copy development ssh keys
• Configure timezone and install ntp
• Config SSH to allow only key auth and PermitRootLogin no

As of now I would add Byobu, so good thing.
Maybe Initial Server guide should be updated with PermitRootLogin, timezone and ntp.

Also, I don’t know to use Ansible or any other management systems, but I started researching Ansible :)

create a user

• set a password
• give him sudo rights
• copy public key to authorized_keys

configure sshd

• disable root login
• disable password login
• restart sshd

test login with user and sudo to root

update everything

reboot

install etckeeper

• etckeeper init
• etckeeper commit -m initial

install vim-enhanced

My Ubuntu 16.04 server setup procedures:

• Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes).
• Disable all outbound traffic except for port 80. (Because paranoia)
• Create a new user and disable the root user
• Configure SSH to only allow key-based authentication.
• Upload and sync my SSH keys.
• Install git, screen, letsencrypt (I normally use DO for webservers), and Nginx.
• Install node (usually) with these steps:
• - apt install npm # Installs current repository version of node & npm.
• - npm i -g n # Install n, a great and simple node version manager.
• - n latest # Update to the latest version of node.

I do a lot, currently have WordPress, Django and a Nodejs running on the same droplet. However, my First 5 moves in early seconds after creating a droplet are these:

• Create new user with sudo
• Enable SSH login for user
• Disable password login for droplet
• Install and enable ufw (allow out and incoming port 443, 80 and 22).
• Install and config fail2ban

After the above steps, I can take a break.

About a year ago, I had a bash script that I would scp to the new server, run as root to do a few different tasks and create my personal user, then su to that user and finish up. It’s a mess of case statements for CentOS 6, CentOS 7, and Ubuntu, so I needed something better. :)

Over the last three or four months, I’ve been learning Ansible and it’s pretty easy to pick up. I have roles that do each of the following:

1. Set the timezone to UTC.
2. Install all updates.
3. Install NTP.
4. Set up SSH server: disable password authentication and root login.
5. Install Fail2ban.
6. Install vnstat.
7. Install various other extra packages: dig, git, htop, iftop, iotop, mtr, ncdu, nmap, screen, sysstat, tcpdump, tig, tree, unzip, vim, zsh.
8. Set up a non-root user: SSH keys, git and other configuration files, sudo access.

A firewall role definitely needs added in there. I’m sure there are roles on Ansible Galaxy for most or all of the things I’m doing, but I learned it a lot better by writing my own and studying others’.

I create my user, run my bash script for new VPSes, then add it’s IP to my DNS records.

script: https://github.com/benyanke/configScripts/blob/master/basicVpsSetupList.sh

Then, if it’s a lamp server, I install Let’s Encrypt.

I could tell you but to ensure server security, I can’t

Debian preferred:

• apt-get update; apt-get -f dist-upgrade
• install custom grsec kernel from my own repository
• apply custom firewall, deny everything, allow SSH only from my static IP
• reboot

That’s it. Less than 5 minutes.

Initial security items:

1. scp public key into root account’s authorized_keys
2. Disable password authentication
3. Change ssh port to (some memorable non-default port)
4. Restart sshd
5. Install Fail2Ban and ensure it’s setup to monitor ssh logs
6. Enable ufw (or setup default deny-all iptables rules, depending on the distro)
7. Reset root user’s password
8. Create new, non-root user account
9. scp public key into non-root user’s authorized_keys file
10. Ensure non-root user can login via ssh, and escalate to root with password, in separate ssh session (still logged in on prior session to correct where needed)
11. Disable root login via ssh (locking down to only allow the non-profit user created earlier
12. Add new server access info as an alias to local workstation’s ssh config

Security is good enough for now, on to admin preferences. Clone dotfiles and install associated packages, opening up ports where necessary per package.

• Disable root login
• Setup SSH configuration
• Install updates
• Install vim, htop, unzip

I apply my initial server scripts https://github.com/bogdanvlviv/i-vagrant

Install python-minimal to run Ansible.

Get oh-my-zsh, install vim with janus

I install lamp on debian.
Then I install certbot
Then I disable ping and close all ports but not 80 and 443.

change the hostname
install sl

I have created a shell script which does the following tasks. I ran it so the basic setup of the server is done. It does take more then 5 min to run it.. LOL

1. create a user and set its permissions and authentication key.
2. disable root login.
3. update system apt.
4. install linuxbrew

change default password
create a new user
install apache

Iptables set up. https://idolstarastronomer.com/iptables.html

PermitRootLogin no

I run Puppet or Ansible.

update packages, create a user, set ssh with key authentication, set my pubkey for my user, install fwknop and close all ports including ssh, open a beer :)

Automat.apk will show you what did you do before and fixed it

I rsync my custom install package, type: setup.sh and then go get coffee.

If I use SaltStack on server, then I do nothing if I have configured to do highstate automatically or I do salt-call state.highstate manually if not.

If I don’t use SaltStack on that server, firstly I do yum install -y epel-release; yum install -y vim iftop iotop perftools strace tcpdump screen and few others :D

@tgwaste

I think I like your approach the best. Can you elaborate a little more?

apt-get update
apt-get upgrade
apt-get tmux vim lynx wget gdebi-core ufw
ufw allow ssh
ufw enable

And after that, it depends what the server’s going to be used for.