Friday, April 10, 2020

After-Install Setup Tasks On Ubuntu 18

After Ubuntu 18 is running, you may want to do additional setup: setup a group and user, set colors, configure a firewall, setup dynamic DNS, and remove unused packages and services.


### Which version of the operating system. Also use "uname -a".
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.4 LTS
Release:        18.04
Codename:       bionic



### Become familiar with what is booting and running by watching the system log.
$ sudo tail -f /var/log/syslog


### Modify the shell login files in your home directory.
$ cd ~
$ cp -p .bashrc .bashrc.orig
$ mv .profile .profile.orig
$ mv .bashrc .bash_profile

### Set a default editor.
# Choose your editor
$ select-editor
# The editor may be set in your login files.
export EDITOR=vi

### Remove colorization.
# Using your file editor (such as vi) comment out all of the code with "color".
$ vi .bash_profile

# Also, put the present working directory at the end of the PATH variable by adding to end of file .bash_profile
export PATH=$PATH:.

# Log in again. Alternatively, "source" your logon file.
$ . ./.bash_profile


### Remove software until you are ready to use it
$ sudo apt-get remove openvpn
$ sudo systemctl disable openvpn
Synchronizing state of openvpn.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable openvpn
Unit /etc/systemd/system/openvpn.service is masked, ignoring.
# Then disable the openvpn startup file
$ cd /etc/default
$ sudo mv openvpn openvpn.20170702


### Alternatively, find and disable services you may not be using
$ systemctl list-units --all --type=service --no-pager
# Some services you may want to disable are
 cups-browsed.service  loaded  active  running Make remote CUPS printers
 cups.service          loaded  active  running CUPS Scheduler
 ModemManager.service  loaded  active  running Modem Manager

# Check the service, stop the service, then disable the service
$ systemctl status cups-browsed
 cups-browsed.service - Make remote CUPS printers available locally
   Loaded: loaded (/lib/systemd/system/cups-browsed.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-04-05 00:05:14 MDT; 14h ago
 Main PID: 21137 (cups-browsed)
    Tasks: 3 (limit: 4915)
   CGroup: /system.slice/cups-browsed.service
           └─21137 /usr/sbin/cups-browsed
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

$ sudo systemctl stop cups-browsed
$ sudo systemctl disable cups-browsed
$ sudo systemctl stop cups
$ sudo systemctl disable cups
$ sudo systemctl stop ModemManager
$ sudo systemctl disable ModemManager

# After the next machine restart, verify the services are not runing.
$ sudo reboot
 

#  Or alternatively use systemctl to restart the machine.
$ sudo systemctl reboot
$ systemctl list-units --all --type=service --no-pager


# Another example of disabling a service, for the Let's Encrypt https certbot service.
$ systemctl status certbot.service
● certbot.service - Certbot
   Loaded: loaded (/lib/systemd/system/certbot.service; static; vendor preset: enabled)
   Active: inactive (dead) since Fri 2020-04-10 16:43:44 MDT; 5h 40min ago
     Docs: file:///usr/share/doc/python-certbot-doc/html/index.html
           https://letsencrypt.readthedocs.io/en/latest/
 Main PID: 31598 (code=exited, status=0/SUCCESS)
$ sudo systemctl stop certbot
Warning: Stopping certbot.service, but it can still be activated by:
  certbot.timer
$ sudo systemctl disable certbot



### When you log on you will see messages about software updates.
38 packages can be updated.
34 updates are security updates.

$ Install the software updates.
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get dist-upgrade


$ When you next logon, the upgrade counter should drop. Not all can take effect until after a reboot.
0 packages can be updated.
0 updates are security updates.
*** System restart required ***
$ sudo shutdown -r



### Setup a user and group. In this example, the new users is "testuser" and the new group is "minec".
$ sudo addgroup minec
$ cat /etc/group | grep minec

# Create new user.
$ sudo adduser testuser --ingroup minec
# At this point, you may want to log in as the user and run command "groups" to confirm the group is set up appropriately.

# Allow logon via ssh. Put user in /etc/ssh/sshd_config on the "AllowUsers" line
# Use "vi" or "vim" or similar editor to edit file /etc/ssh/sshd_config and add "testuser" to the "AllowUsers" line.
# After editing, it will look like this:
$ grep -i allowusers /etc/ssh/sshd_config
AllowUsers testuser
# You may want to review the security implications of the following settings in sshd_config:
# Protocol, PermitRootLogin, AuthorizedKeysFile, PermitEmptyPasswords
# IgnoreRhosts, PermitTunnel, ciphers.
$ grep -i ^permitrootlogin /etc/ssh/sshd_config
PermitRootLogin no


# Have ssh  reread the configuration file. First get the process ID, then send HUP signal to that PID.
$ ps -ef | grep 'bin/sshd'$ sudo kill -hup <sshd_pid>
# Alternatively use service manager to restart ssh
$ sudo systemctl restart ssh

# View the effective settings of sshd
$ sshd -T

# Maybe put testuser in sudoers. Careful with this, as it provides root access.
$ sudo usermod -aG sudo testuser

# Maybe modify defaults of sudo
$ sudo visudo


### Configure firewall
# "Uncomplicated FireWall", known as ufw, should already be installed. If not, run:
$ sudo apt install ufw
# Ensure the filtering of IPv6 firewall is on, even if you are not using IPv6 at this time
$ sudo vi /etc/default/ufw
# Ensure this line exists without a leading comment character:
$ IPV6=yes
# Setup ufw services
$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow https

# Deny outgoing SMTP mail
$ sudo ufw deny out 25

# Consider a block on geographic network address ranges.
# Look at the ufw settings
$ sudo ufw status numbered
$ sudo ufw enable
$ sudo ufw status



### If you have a changing IP (typical consumer-grade internet) and want to more easily host an incoming service, setup up dynamic DNS. Go to www.duckdns.org and configure a sub-domain for your host. Using the information from your sign up at duckdns.org, configure the following on the Linux machine.
$ cat /var/opt/duckdns/duck.sh
#!/bin/sh
DOMAINFQ="YOUR_DOMAIN.duckdns.org"
curl_out=$(echo url="https://www.duckdns.org/update?domains=YOUR_DOMAIN&token=YOUR_TOKEN" | /usr/bin/curl --insecure --silent --config - )
# Whatever is running this script (cron?) may want to direct output to a file in /tmp.
/bin/echo
/bin/date
/bin/echo duckdns updated $curl_out
/bin/echo 'dig output:'
/usr/bin/dig $DOMAINFQ | /bin/grep ^$DOMAINFQ
if [ $curl_out = "OK" ]; then
    /usr/bin/logger -p daemon.info "duckdns update ok. rc=" $curl_out
else
    /usr/bin/logger -p daemon.err "duckdns update failed. rc=" $curl_out
fi


# Run script every ten minutes from cron. Add this line to the crontab.
$ crontab -e
*/10 * * * * /var/opt/duckdns/duck.sh >>/tmp/duckdns.log 2>&1




### When you logon, the message displayed is from motd.dynamic.
$ ls -l /run/motd.dynamic
-rw-r--r-- 1 root root 753 Apr 11 17:58 /run/motd.dynamic


# If you do not yet have data backups configured, add a message to your users.
$ sudo vi /etc/update-motd.d/60-backup-warning
$ sudo chmod +x /etc/update-motd.d/60-backup-warning
# Add the following lines to this new file.
$ cat 60-backup-warning
#!/bin/sh
printf "\n"
printf "*** Warning: This machine is not on regular backups. Plan accordingly.\n"


# Consider disabling the live patch message, and others. Remove the execute permission.
$ sudo chmod -x /etc/update-motd.d/80-livepatch
$ sudo chmod -x /etc/update-motd.d/10-help-text



No comments:

Post a Comment