### Which version of the operating system. Also use "uname -a".
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
### Become familiar with what is booting and running by watching the system log.
$ sudo tail -f /var/log/syslog
### Modify the shell login files in your home directory.
$ cd ~
$ cp -p .bashrc .bashrc.orig
$ mv .profile .profile.orig
$ mv .bashrc .bash_profile
### Set a default editor.
# Choose your editor
$ select-editor
# The editor may be set in your login files.
EDITOR=vi
### Remove colorization.
# Using your file editor (such as vi) comment out all of the code with "color".
$ vi .bash_profile
# Also, put the present working directory at the end of the PATH variable by adding to end of file .bash_profile
PATH=$PATH:.
# Log in again. Alternatively, "source" your logon file.
$ . ./.bash_profile
### Remove software until you are ready to use it
$ sudo apt-get remove openvpn
$ sudo systemctl disable openvpn
Synchronizing state of openvpn.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable openvpn
Unit /etc/systemd/system/openvpn.service is masked, ignoring.# Then disable the openvpn startup file
$ cd /etc/default
$ sudo mv openvpn openvpn.20170702
### Alternatively, find and disable services you may not be using
$ systemctl list-units --all --type=service --no-pager
# Some services you may want to disable are
cups-browsed.service loaded active running Make remote CUPS printers
cups.service loaded active running CUPS Scheduler
ModemManager.service loaded active running Modem Manager
# Check the service, stop the service, then disable the service
$ systemctl status cups-browsed
cups-browsed.service - Make remote CUPS printers available locally
Loaded: loaded (/lib/systemd/system/cups-browsed.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-04-05 00:05:14 MDT; 14h ago
Main PID: 21137 (cups-browsed)
Tasks: 3 (limit: 4915)
CGroup: /system.slice/cups-browsed.service
└─21137 /usr/sbin/cups-browsed
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
$ sudo systemctl stop cups-browsed
$ sudo systemctl disable cups-browsed
$ sudo systemctl stop cups
$ sudo systemctl disable cups
$ sudo systemctl stop ModemManager
$ sudo systemctl disable ModemManager
# After the next machine restart, verify the services are not runing.
$ sudo reboot
# Or alternatively use systemctl to restart the machine.
$ sudo systemctl reboot
$ systemctl list-units --all --type=service --no-pager
# Another example of disabling a service, for the Let's Encrypt https certbot service.
$ systemctl status certbot.service
● certbot.service - Certbot
Loaded: loaded (/lib/systemd/system/certbot.service; static; vendor preset: enabled)
Active: inactive (dead) since Fri 2020-04-10 16:43:44 MDT; 5h 40min ago
Docs: file:///usr/share/doc/python-certbot-doc/html/index.html
https://letsencrypt.readthedocs.io/en/latest/
Main PID: 31598 (code=exited, status=0/SUCCESS)
$ sudo systemctl stop certbot
Warning: Stopping certbot.service, but it can still be activated by:
certbot.timer
$ sudo systemctl disable certbot
### When you log on you will see messages about software updates.
38 packages can be updated.
34 updates are security updates.
$ Install the software updates.
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get dist-upgrade
$ When you next logon, the upgrade counter should drop. Not all can take effect until after a reboot.
0 packages can be updated.
0 updates are security updates.
*** System restart required ***
$ sudo shutdown -r
### Setup a user and group. In this example, the new users is "testuser" and the new group is "minec".
$ sudo addgroup minec
$ cat /etc/group | grep minec
# Create new user.
$ sudo adduser testuser --ingroup minec
# At this point, you may want to log in as the user and run command "groups" to confirm the group is set up appropriately.
# Allow logon via ssh. Put user in /etc/ssh/sshd_config on the "AllowUsers" line
# Use "vi" or "vim" or similar editor to edit file /etc/ssh/sshd_config and add "testuser" to the "AllowUsers" line.
# After editing, it will look like this:
$ grep -i allowusers /etc/ssh/sshd_config
AllowUsers testuser
# You may want to review the security implications of the following settings in sshd_config:
# Protocol, PermitRootLogin, AuthorizedKeysFile, PermitEmptyPasswords
# IgnoreRhosts, PermitTunnel, ciphers.
$ grep -i ^permitrootlogin /etc/ssh/sshd_config
PermitRootLogin no
# Have ssh reread the configuration file. First get the process ID, then send HUP signal to that PID.
$ ps -ef | grep 'bin/sshd'$ sudo kill -hup <sshd_pid>
# Alternatively use service manager to restart ssh
$ sudo systemctl restart ssh
# View the effective settings of sshd
$ sshd -T
# Maybe put testuser in sudoers. Careful with this, as it provides root access.
$ sudo usermod -aG sudo testuser
# Maybe modify defaults of sudo
$ sudo visudo
### Configure firewall
# "Uncomplicated FireWall", known as ufw, should already be installed. If not, run:
$ sudo apt install ufw
# Ensure the filtering of IPv6 firewall is on, even if you are not using IPv6 at this time
$ sudo vi /etc/default/ufw
# Ensure this line exists without a leading comment character:
$ IPV6=yes
# Setup ufw services
$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow https
# Deny outgoing SMTP mail
$ sudo ufw deny out 25
# Consider a block on geographic network address ranges.
# Start the firewall.
$ sudo ufw enable
# Look at the ufw settings
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
25 DENY OUT Anywhere
25 (v6) DENY OUT Anywhere (v6)
### If you have a changing IP (typical consumer-grade internet) and want to more easily host an incoming service, setup up dynamic DNS. Go to www.duckdns.org and configure a sub-domain for your host. Using the information from your sign up at duckdns.org, configure the following on the Linux machine.
$ cat /var/opt/duckdns/duck.sh
#!/bin/sh
DOMAINFQ="YOUR_DOMAIN.duckdns.org"
curl_out=$(echo url="https://www.duckdns.org/update?domains=YOUR_DOMAIN&token=YOUR_TOKEN" | /usr/bin/curl --insecure --silent --config - )
# Whatever is running this script (cron?) may want to direct output to a file in /tmp.
/bin/echo
/bin/date
/bin/echo duckdns updated $curl_out
/bin/echo 'dig output:'
/usr/bin/dig $DOMAINFQ | /bin/grep ^$DOMAINFQ
if [ $curl_out = "OK" ]; then
/usr/bin/logger -p daemon.info "duckdns update ok. rc=" $curl_out
else
/usr/bin/logger -p daemon.err "duckdns update failed. rc=" $curl_out
fi
# Run script every twenty minutes from cron. As the duckdns user, add a line to the crontab.
$ crontab -e
*/20 * * * * /var/opt/duckdns/duck.sh >>/tmp/duckdns.log 2>&1
# Watch the duckdns log file from cron which should be in /tmp.
### When you logon to the machine, the message displayed is from motd.dynamic.
$ ls -l /run/motd.dynamic
-rw-r--r-- 1 root root 753 Apr 11 17:58 /run/motd.dynamic
# If you do not yet have data backups configured, add a message to your users.
$ sudo vi /etc/update-motd.d/60-backup-warning
$ sudo chmod +x /etc/update-motd.d/60-backup-warning
# Add the following lines to this new file.
$ cat 60-backup-warning
#!/bin/sh
printf "\n"
printf "*** Warning: This machine is not on regular backups. Plan accordingly.\n"
# Consider disabling the live patch message, and others. Remove the execute permission.
$ sudo chmod -x /etc/update-motd.d/80-livepatch
$ sudo chmod -x /etc/update-motd.d/10-help-text
