# Ubuntu Server - [Ubuntu Server](#ubuntu-server) - [Setup SSH](#setup-ssh) - [Fail2Ban](#fail2ban) - [Automatic Updates](#automatic-updates) - [Disable Swap](#disable-swap) - [Extras](#extras) Note these instructions differentiate between an `operator` and a `server`. The operator can be any machine that configure the server. A pipeline, laptop, dedicated server, etc. are all options. The server can be its own operator, though that's not recommended since servers should be ephemeral and the operator will store information about each server. ## Setup SSH On the operator: ```bash export SSH_HOST=kube ssh-keygen -t rsa -b 4096 -C ducoterra@${SSH_HOST}.reeselink.com -f ~/.ssh/id_${SSH_HOST}_rsa # Note: If you get "too many authentication failures" it's likely because you have too many private # keys in your ~/.ssh directory. Use `-o PubkeyAuthentication` to fix it. ssh-copy-id -o PubkeyAuthentication=no -i ~/.ssh/id_${SSH_HOST}_rsa.pub ducoterra@${SSH_HOST}.reeselink.com cat <> ~/.ssh/config Host $SSH_HOST Hostname ${SSH_HOST}.reeselink.com User root ProxyCommand none ForwardAgent no ForwardX11 no Port 22 KeepAlive yes IdentityFile ~/.ssh/id_${SSH_HOST}_rsa EOF ``` On the server: ```bash # Copy authorized_keys to root sudo cp ~/.ssh/authorized_keys /root/.ssh/authorized_keys # Change your password passwd sudo su - echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/01-prohibit-password.conf echo '%sudo ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/01-nopasswd-sudo systemctl restart sshd ``` On the operator: ```bash # Test if you can SSH with a password ssh -o PubkeyAuthentication=no ducoterra@${SSH_HOST}.reeselink.com # Test that you can log into the server with ssh config ssh $SSH_HOST ``` ## Fail2Ban On the server: ```bash apt update apt install -y fail2ban # Setup initial rules cat < /etc/fail2ban/jail.local # Jail configuration additions for local installation # Adjust the default configuration's default values [DEFAULT] # Optional enter an trusted IP never to ban ignoreip = 2600:1700:1e6c:a81f::0/64 bantime = 6600 backend = auto # The main configuration file defines all services but # deactivates them by default. We have to activate those neeeded [sshd] enabled = true EOF systemctl enable fail2ban --now tail -f /var/log/fail2ban.log ``` ## Automatic Updates On the server: ```bash apt install -y unattended-upgrades systemctl enable --now unattended-upgrades.service ``` ## Disable Swap ```bash swapoff -a ``` ## Extras On the server: ```bash # Install glances for system monitoring apt install -y glances # Install zsh with autocomplete and suggestions apt install -y zsh zsh-autosuggestions zsh-syntax-highlighting cat < ~/.zshrc # Basic settings autoload bashcompinit && bashcompinit autoload -U compinit; compinit zstyle ':completion:*' menu select # Prompt settings autoload -Uz promptinit promptinit prompt redhat PROMPT_EOL_MARK= # Syntax Highlighting source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh source /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh ### Custom Commands and Aliases ### EOF chsh -s $(which zsh) && chsh -s $(which zsh) ducoterra # Cockpit apt install -y cockpit systemctl enable --now cockpit ```