Last active
June 15, 2020 16:59
-
-
Save SimplGy/7dc513c725219b08e4632a09686f945d to your computer and use it in GitHub Desktop.
Setup for a new Ubuntu server, based on http://www.codelitt.com/blog/my-first-10-minutes-on-a-server-primer-for-securing-ubuntu/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Update the system's packages | |
apt-get update | |
apt-get upgrade | |
# Set up the `deploy` user | |
useradd deploy | |
mkdir /home/deploy | |
mkdir /home/deploy/.ssh | |
chmod 700 /home/deploy/.ssh | |
usermod -s /bin/bash deploy | |
# Set up ssh key access for `deploy` user | |
touch /home/deploy/.ssh/authorized_keys | |
# MANUAL STEP: edit `/home/deploy/.ssh/authorized_keys` to contain the public key you'd like to use for logging `deploy` in" key | |
chmod 400 /home/deploy/.ssh/authorized_keys | |
chown deploy:deploy /home/deploy -R | |
# MANUAL STEP: `passwd deploy` to configure a password for this user | |
# MANUAL STEP: `visudo` and add these lines: | |
# root ALL=(ALL) ALL | |
# %sudo ALL=(ALL:ALL) ALL` | |
# Add `deploy` to the `sudo` group | |
usermod -aG sudo deploy | |
# Configure ssh | |
vim /etc/ssh/sshd_config | |
# PermitRootLogin no | |
# PasswordAuthentication no | |
# AllowUsers deploy@(your-VPN-or-static-IP) | |
# AddressFamily inet | |
# set up a firewall | |
apt-get install ufw | |
sudo ufw allow 22 | |
sudo ufw allow 80 | |
sudo ufw allow 443 | |
sudo ufw disable | |
sudo ufw enable | |
# Auto upgrades | |
apt-get install unattended-upgrades | |
vim /etc/apt/apt.conf.d/10periodic | |
# MANUAL STEP: Update this file to match this: | |
# APT::Periodic::Update-Package-Lists "1"; | |
# APT::Periodic::Download-Upgradeable-Packages "1"; | |
# APT::Periodic::AutocleanInterval "7"; | |
# APT::Periodic::Unattended-Upgrade "1"; | |
vim /etc/apt/apt.conf.d/50unattended-upgrades | |
# MANUAL STEP: Update this file to match this: | |
# fail2ban | |
apt-get install fail2ban | |
# 2-factor auth | |
apt-get install libpam-google-authenticator | |
su deploy | |
google-authenticator | |
# Logwatch | |
apt-get install logwatch | |
# Node | |
curl -sL https://deb.nodesource.com/setup_4.x | sudo -E bash - | |
sudo apt-get install -y nodejs |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment