{"id":20099008,"url":"https://github.com/jream/config-server","last_synced_at":"2025-05-06T06:30:48.084Z","repository":{"id":22519765,"uuid":"25860209","full_name":"JREAM/config-server","owner":"JREAM","description":"Helpful Instructions to Configuring an Ubuntu Server","archived":false,"fork":false,"pushed_at":"2017-03-17T23:14:51.000Z","size":724,"stargazers_count":27,"open_issues_count":0,"forks_count":7,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-04-09T09:11:58.514Z","etag":null,"topics":["cheatsheet","config","configuration","linux","server","ssh","webserver"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JREAM.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-10-28T08:42:23.000Z","updated_at":"2024-06-06T05:46:22.000Z","dependencies_parsed_at":"2022-07-25T09:16:59.654Z","dependency_job_id":null,"html_url":"https://github.com/JREAM/config-server","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JREAM%2Fconfig-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JREAM%2Fconfig-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JREAM%2Fconfig-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JREAM%2Fconfig-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JREAM","download_url":"https://codeload.github.com/JREAM/config-server/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252633568,"owners_count":21779889,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cheatsheet","config","configuration","linux","server","ssh","webserver"],"created_at":"2024-11-13T17:07:39.306Z","updated_at":"2025-05-06T06:30:47.783Z","avatar_url":"https://github.com/JREAM.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Config Server\nThis is a guide to install a server for an **Ubuntu 14 LTS** server. You could likely use different versions.\n\n---\n\n# Table of Contents\n- [Security](#security)\n - [Update](#update)\n - [Firewall UFW](#firewall-ufw)\n - [SSH and Users](#ssh-and-users)\n - [Fail2Ban](#fail2ban)\n - [Rootkits](#rootkits)\n - [Unattended Upgrades](#unattended-upgrades)\n - [Apache2 Mod-Evasive](#apache2-mod-evasive)\n- [Packages](#packages)\n - [Common Items](#common-items)\n - [Enable PPA Repositories](#enable-ppa-repositories)\n- [Commands](#commands)\n - [SSH Welcome Message](#ssh-welcome-message) \n - [Searching](#searching)\n - [User Management](#user-management)\n - [SFTP User](#sftp-user)\n- [Manage Network Scripts](#manage-network-scripts)\n - [Checking Ports](#checking-ports)\n\n---\n#Security\nThese are necessities to keep your server secure. Not everything will be covered but some of the most important.\n\n###Update\nWith any new installation you want to update!\n\n sudo apt-get update\n sudo apt-get upgrade -y\n\n###Firewall UFW\nUFW is the uncomplicated firewall.\n\n sudo ufw enable\n sudo ufw allow 80\n sudo ufw allow 443\n sudo ufw allow ssh\n sudo ufw allow 911 \u003cor any number\u003e\n\nSee your Firewall Rules:\n\n sudo ufw status verbose\n\n###SSH and Users\nYou should first create a **non-root** user. Since default logins are root on port 22:\n\n sudo useradd -m -s /bin/bash user1\n passwd user1\n\nWe need **user1** him to be a **super-user (su)**. Add your in visudo:\n\n $ visudo\n --------\n # User privilege specification\n root ALL=(ALL:ALL) ALL\n user1 ALL=(ALL:ALL) ALL\n\n#####Change Default SSH Port\nTo change the default port of `22` to something else of your choice:\n\n $ sudo vim /etc/ssh/sshd_config\n -------------------------------\n Port 22 # Change to: 1234\n PermitRootLogin yes # Change to: no\n\nReload SSH Configuration:\n\n sudo service ssh reload\n\n#####Make Sure You can Login\nTest your new user by keeping your current terminal connected and opening a second terminal:\n\n ssh user1@ip_address -p1234\n\nAlso make sure you can use sudo, so type `su -`\n\n#####User SSH Login\n---\n\nAs your new user (**user1**), if you want to login with an SSH key, make sure you have a key on your **local** machine.\n\n ssh-keygen -t rsa -b 4096 -C \"your-email@domain.com\"\n\nCreate your **remote** SSH folder and authorized_keys. Paste your `id_rsa.pub`to authorized_host:\n\n mkdir ~/.ssh\n vim /etc/authorized_keys\n\nYour **local** `~/.ssh/id_rsa.pub` must match the **remote** `~/.ssh/authorized_keys`. Make sure it's on **one line!**\n\n#####SSH File Permissions\nHere are the permissions for your files (local and remote).\n\n chmod 700 ~/.ssh \u0026\u0026\\\n chmod 600 ~/.ssh/authorized_keys \u0026\u0026\\\n chmod 644 ~/.ssh/id_rsa.pub \u0026\u0026\\\n chmod 600 ~/.ssh/id_rsa\n\nDon't keep your `id_rsa` private key on the **remote** host, all you need to login is the `authorized_keys` file. _Only host your private key for a locked down user for deployments._\n\n#####Quick SSH Login\nOn your local machine edit or create an ssh config for quick connection:\n\n $ vim ~/.ssh/config\n -------------------\n Host myhost\n Hostname 123.123.123.555\n Port 1234\n User user1\n\nYou should now be able to connect with:\n\n ssh myhost\n\n###Fail2Ban\nBans IPs that attempt too many password failures, searching for exploits and the like. The default configuration is good.\n\n sudo apt-get install fail2ban\n\n###Rootkits\n\n sudo apt-get install chkrootkit rkhunter\n\nEdit the chkrootkit configuration:\n\n sudo vim /etc/chkrootkit.conf\n\nWe will run both weekly; However we need to change the configuration:\n\n RUN_DAILY=\"true\"\n RUN_DAILY_OPTS=\"\"\n DIFF_MODE=\"false\"\n\nFor your reference, rkhunter's configuration file is located here: `/etc/default/rkhunter`\n\nRename the rkhunter's update job with a different name before moving the other items to the weekly CRON:\n\n sudo mv /etc/cron.weekly/rkhunter /etc/cron.weekly/rkhunter_update\n\nNext move the daily CRON to the weekly:\n\n sudo mv /etc/cron.daily/chkrootkit /etc/cron.weekly\n sudo mv /etc/cron.daily/rkhunter /etc/cron.weekly\n\n\n###Unattended Upgrades\nKeep security updates on a cron.\n\n sudo apt-get install unattended-upgrades\n\nEdit the periodic updated file:\n\n sudo vim /etc/apt/apt.conf.d/10periodic\n\nUpdate your values to something like this:\n\n APT::Periodic::Update-Package-Lists \"1\";\n APT::Periodic::Download-Upgradeable-Packages \"1\";\n APT::Periodic::AutocleanInterval \"7\";\n APT::Periodic::Unattended-Upgrade \"1\";\n\n\n\n###Apache2 Mod-Evasive\nThis is useful for DDOS attacks. First install the needed packages.\n\n sudo apt-get install apache2 apache2-utils libapache2-mod-evasive\n\nCreate the log directory.\n\n sudo mkdir /var/log/mod_evasive\n sudo chown www-data:www-data /var/log/mod_evasive\n\nEdit the configuration file:\n\n sudo vim /etc/apache2/mods-available/mod_evasive.conf\n\nUncomment everything except `DOSSystemCommand` and add your email after `DOSEmailNotify`.\n\nReload Apache:\n\n sudo a2enmod evasive\n sudo service apache2 reload\n\n#Packages\nThe location for aptitude `apt` package sources is:\n\n /etc/apt/sources.list # This is one long file of defaults\n /etc/apt/sources.list.d/ # These are separate files for things like PPA adding\n \nIf you choose to manually add a package I would recommend adding it to the `/etc/apt/sources.list.d/your-source.list` directory, that way you can just delete it and `sudo apt-get update` if you don't want it -- rather than editing the main `sources.list` file.\n\n###Common Items\nThese are some common packages you can use. If you prefer `nginx` over `apache` then install that instead.\n\n sudo apt-get install\\\n git htop xclip\\\n python-dev python-pip\\\n php5 php5-dev\\\n apache2 apache2-utils\n\n\n###Enable PPA Repositories\nThis should exist by default, but if it doesn't install it:\n\n sudo apt-get install python-software-properties\n\n#Commands\nThese are commands for reference.\n\n###SSH Welcome Message\nWhen you login to your SSH, you can add a custom welcome banner that looks cool:\n\n sudo vim /etc/ssh/sshd_config\n Banner /etc/banner\n\nThen create the file and add anything you want:\n\n sudo vim /etc/banner\n \nHere is an example:\n```\n __ _____ _____ _____ _____ \n __| | __ | __| _ | |\n| | | -| __| | | | |\n|_____|__|__|_____|__|__|_|_|_|\n-------------------------------\nServer 01 Welcome\n-------------------------------\n```\n \nI used a text to ASCII generator for that. Then restart and it will appear next time you login!\n\n sudo service ssh restart\n\n##Searching\n\nSearch for a filename from system path\n\n $ find / --name filename\n\nSearch the contents of a file\n\n $ cat filename | grep \"text-to-find-here\"\n\nSearch within files in the current directory\n\n $ grep -Ril \"text-to-find-here\" .\n\n R (recursive)\n i (case insensitive)\n l (show the file name, not the result itself)\n\n##User Management\n\nSee the user defaults, and add a user with the defaults:\n\n useradd -D\n useradd user2\n\n useradd -m user2 # Create Home, Default Shell\n useradd -m -s /bin/bash user2 # Set Shell, Create Home\n\n passwd user2 # Change Passwd\n userdel user2 # Delete User\n\n cat /etc/passwd # See Users\n cat /etc/group # See Groups\n\nManually Add sudo (Super User)\n\n $ visudo\n --------\n user2 ALL=(ALL) ALL\n\nChange a users shell\n\n sudo chsh -s /bin/bash user2\n\nAdd Existing user to Existing Group\n\n usermod -a -G www-data user2\n\n##SFTP User\nFor SFTP Access you should create a group an ddo the following:\n\n sudo groupadd sftp_users\n sudo usermod -G sftp_users user2\n\nFor a webserver, you should add the webserver group AS WELL\n\n sudo usermod -G www-data user2\n\nEdit your SSHD config and append to the end of the file\n\n $ sudo vim /etc/ssh/sshd_config\n -------------------------------\n Match group filetransfer\n ChrootDirectory %h\n X11Forwarding no\n AllowTcpForwarding no\n ForceCommand internal-sftp\n\nRestart SSH\n\n sudo service ssh restart\n\n#Manage Network Scripts\nYou can add your own startup/shutdown scripts and the like in folders in this area:\n\n /etc/network/if-down.d/\n /etc/network/if-pre-up.d/\n\nJust make sure to `chmod +x filename.sh`\n\n##Checking Ports\nBeginner commands to [http://www.linux.com/learn/tutorials/290879-beginners-guide-to-nmap](nmap)\n\n apt-get install nmap\n\nThere are many ways to check open ports:\n\n sudo ufw status\n sudo nmap -sT -O localhost\n\nOther ways to check ports\n\n netstat -anp | grep 222\n lsof -i | grep 222\n telnet localhost 222\n\n---\n\nPermission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that notice appear in all copies.\n\n\u0026copy;2016 MIT License | Jesse Boyer | JREAM.com\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjream%2Fconfig-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjream%2Fconfig-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjream%2Fconfig-server/lists"}