First things to do

First step after installing a new server.

• https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04
• https://www.thomas-krenn.com/de/wiki/Absicherung_eines_Debian_Servers
• https://www.thomas-krenn.com/de/wiki/SSH_Login_unter_Debian_mit_fail2ban_absichern

Create new User

  adduser sammy

Give sudo-rights

  usermod -aG sudo sammy

Generate SSH key

  ssh-keygen

Copy the public key to server

  ssh-copy-id sammy@your_server_ip

  ssh sammy@serverip -p PORT

  sudo nano /etc/ssh/sshd_config

  PermitRootLogin no

  ChallengeResponseAuthentication no

  service ssh restart

or

  systemctl restart sshd

    sudo apt update && sudo apt upgrade

Install und enable UFW and allow only SSH default (or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes), Disable all outbound traffic except for port 80. (Because paranoia). (allow out and incoming port 443, 80 and 22)

ufw allow APPLICATION
ufw enable
ufw disable
ufw status

Wichtige erste Ports zur Benutzung

  ufw allow ssh
  ufw allow http
  ufw allow https

  sudo apt install fail2ban

  sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

and configure (1 short-lock for 24 hours, one for 1 week block) https://www.booleanworld.com/protecting-ssh-fail2ban/
https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/

sudo nano /etc/fail2ban/jail.local

#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
mode    = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
# input by stefan
# one day
findtime = 5400 ;1.5 hours
maxretry = 5
bantime = 86400 ;1 day

# input by stefan, longterm ban
# 30 attempts over 3 days result in a 1 week ban
[sshlongterm2]
port      = ssh
logpath   = %(sshd_log)s
banaction = iptables-multiport
findtime  = 259200 ;3 days
maxretry  = 10
bantime   = 604800 ;1 week
enabled   = true
filter    = sshd

[sshlongterm3]
enabled = true
filter = sshd
findtime = 15552000 ;6 months
maxretry = 15
bantime = 2592000 ;1 month
logpath   = %(sshd_log)s
banaction = iptables-multiport

Kontrolle mit tail

  tail -10f /var/log/fail2ban.log

install tools (vim, tmux, htop, nmap, sysstat)

install and configure mailserver (postfix mit s-nail?)

change later to “justOnError” in /etc/apt/apt.conf.d/50unattended-upgrades (multiple recipients separated with a komma)

Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/backup)

daily mail set up

Configure time-related stuff (tzdata, install ntp, setting the time zone to UTC)

disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces

• chef bootstrap (?)
• zsh (instead of bash), glances, rsync,
• Install most of the debug tools I've used in my life, just in case (lsof, gdb, iotop, slurm, strace)
• Enable Byobu - https://www.digitalocean.com/community/tutorials/how-to-install-and-use-byobu-for-terminal-management-on-ubuntu-16-04
• install etckeeper (etckeeper init, etckeeper commit -m initial)
• Webserver: letsencrypt
• vnstat
• install linuxbrew
• install git
• checkout my dot files from git
• install sudo and sudo-pam-auth. Configure it to work wi h ssh keys
• Learn Ansible? (install python-minimal for ansible)