How I setup my Ubuntu servers

My go to for servers is usually Ubuntu and these are the tools/packages and steps I use on every server I personally install.

If you want to try this out on a live server check out my recommended Virtual Private Servers on my favorites page.

I first update the package database, then install Vim and Curl. The -y means don’t ask me just install it. apt-get update && apt-get install vim curl -y

Now that I know Vim is installed I am going to edit the apt sources so it will pick the best mirrors available. vim /etc/apt/sources.list

I paste one of these on the top of the sources.list file.

Ubuntu 14.04

deb mirror://mirrors.ubuntu.com/mirrors.txt trusty main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-updates main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-backports main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-security main restricted universe multiverse

Ubuntu 16.04

deb mirror://mirrors.ubuntu.com/mirrors.txt xenial main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt xenial-updates main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt xenial-backports main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt xenial-security main restricted universe multiverse

Comment out the other debs in there by placing a # in front of them. Do not comment out the security deb urls though.

If I am not logged in as root already I make sure I enter into su mode. sudo su -

I install additional repository to make sure that I get the latest version of packages such as vim and tmux.

apt-get install software-properties-common -y
add-apt-repository ppa:byobu/ppa -y
add-apt-repository ppa:pi-rho/dev -y
apt-get update
apt-get install tmux ncdu -y
apt-get upgrade -y
apt-get autoremove -y

I reboot to make sure everything is hunky dory reboot

I like to make sure that the language files for en_US are fully generated and configured

locale-gen en_US en_US.UTF-8
dpkg-reconfigure locales

I install Glances which is like top and htop. It has a lot more features such as more details and the ability to push the data that it displays to something such as Grafana or view it via the web interface.

curl -L http://bit.ly/glances | /bin/bash

Now I install Mosh, Byobu, htop, vnstat, and sshguard.

apt install mosh byobu htop vnstat sshguard -y

I enable byobu so every time I log in it just starts right away.

byobu-enable

I make sure that a .ssh directory is created before I provide the server my ssh pub key.

mkdir ~/.ssh

Let’s log out by either Pressing F6 or typing exit

On my computer I run this in another terminal

cat ~/.ssh/id_rsa.pub | ssh username@server.ip "cat >> ~/.ssh/authorized_keys"

Now on my terminal, I type this in mosh username@server.ip OR or this If I don’t have mosh locally installed ssh username@server.ip

I should be able to login with my ssh key and not prompt me for a root/user password.

I recommend one last reboot after all of that.

After that last reboot, I should be good to setup sshguard the brute force attacking software and setup my iptables rules.

I initially tell iptables to accept all

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Also, flush the iptables rules so I am starting fresh.

iptables -F

This is usually automatically done by sshguard when it is installed but I run it anyway to make sure that sshguard has a chain/section in iptables.

iptables -N sshguard

This is the first line I enter into my iptables (This is for MOSH access)

iptables -I INPUT 1 -p udp --dport 60000:61000 -j ACCEPT

Before adding this next line I make sure that I have edited the /etc/ssh/sshd_config file to match the port number I would like to use, below I have used 6222 as an example

iptables -I INPUT 2 -p tcp --dport 6222 -j ACCEPT **(depends on your ssh port this can change though)**
iptables -A INPUT -j sshguard **(This will block ALL brute forcing attacks. look below for specific BF port protection)**
iptables -I OUTPUT 1 -p udp --dport 60000:61000  -m state --state NEW -j ACCEPT
iptables -I OUTPUT 2 -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 9418 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 161 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT
iptables -I INPUT 3 -p tcp --dport 10050 -j ACCEPT **(This is optional) This is for Zabbix Agent to send out stats to your zabbix server if you have one. **
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I OUTPUT 1 -o lo -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP **(This is optional)**

I will run this ifconfig -a to grab the servers public IP for the next step.

ifconfig -a

These rules below are for allowing ICMP (PING) in and out of the server.

SERVERIP=REPLACE.WITH.SERVER.IP
echo $SERVERIP
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVERIP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVERIP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVERIP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVERIP -m state --state ESTABLISHED,RELATED -j ACCEPT

OpenVPN iptables rules (optional)

If by chance you are planning to have your server connect to a VPN these are the rules you would need. If you are not planning to do that then you can just skip it.

iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT

Save iptables

iptables-persistent saves your iptables rules so it’s readded after every reboot and you don’t have to worry about losing your rules. The package below used to work on Ubuntu 14.04 but it seems to be borked on 16.04. It will install and save the rules after the install but I haven’t looked into it any further as of why iptables-persistent save does not work any longer.

apt install iptables-persistent
service iptables-persistent save

Just a side note if you need to delete a line from your iptables you can do it like this

This line will display the rules with line numbers

iptables -nvL --line-numbers

This will delete that rule, make sure you use the correct CHAIN and replace # with the correct line number you want to be removed.

iptables -D CHAIN #

Example: iptables -D INPUT 3