richlamdev/ubuntu.txt

## ubuntu.txt
INITIAL PACKAGES TO INSTALL
sudo apt update
sudo apt install vim git ansible sshpass

DNS CONFIG
/etc/systemd/resolved.conf
DNS=192.168.x.x 192.168.x.x
(space delimited/separation between DNS server list)
sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo systemctl restart systemd-resolved.service

#get status:
resolvectl | grep -i "Current DNS"

CONFIGURE UTC OFFSET
sudo timedatectl set-timezone America/Vancouver

NTP Configure
edit /etc/systemd/timesyncd.conf
NTP=192.168.x.x 192.168.x.x
(space delimited/separation between NTP server list)
sudo systemctl restart systemd-timesyncd.service

#get status:
timedatectl timesync-status
timedatectl status
timedatectl show-timesync


DISABLE NOUVEAU (install nvida drivers)
/etc/modprobe.d/blacklist.conf
blacklist nouveau
options nouveau modeset=0

OR

sudo bash -c "echo blacklist nouveau > /etc/modprobe.d/blacklist-nvidia-nouveau.conf"

sudo bash -c "echo options nouveau modeset=0 >> /etc/modprobe.d/blacklist-nvidia-nouveau.conf"

/etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash ipv6.disable=1 nouveau.blacklist=1 "

sudo update-initramfs -u
sudo update-grub2

NVIDIA DRIVERS FOR LAPTOP
#sudo apt-get purge libvdpau-va-gl1 bumblebee* nvidia
#sudo apt-get install nvidia-390 nvidia-settings nvidia-prime
#sudo nvidia-settings

NVIDIA DRIVERS AUTO INSTALL
#sudo add-apt-repository ppa:graphics-drivers/ppa
#sudo apt update
#ubuntu-drivers devices
#sudo ubuntu-drivers autoinstall

NVIDIA DRIVERS MANUAL INSTALL
sudo ubuntu-drivers devices
sudo apt install gcc make
sudo apt install nvidia-390 nvidia-settings

HASHCAT
#sudo apt install ocl-icd-* opencl-headers lsb-core
sudo apt install ocl-icd-libopencl1 nvidia-cuda-toolkit
nvidia-smi
sudo reboot

sudo add-apt-repository ppa:graphics-drivers/ppa
sudo apt-get update
sudo apt-get install mesa-common-dev freeglut3-dev
sudo reboot


UFW CONFIG
sudo ufw limit proto tcp from 192.168.x.x/24 to any port 22
sudo ufw limit 22/tcp

sudo ufw status numbered
sudo ufw delete <number>
sudo ufw app list

# /etc/ufw/ufw.conf
IPV6=no
# /etc/default/ufw
IPV6=no


GOOGLE CHROME INSTALL
wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
sudo sh -c 'echo "deb https://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
sudo apt-get update
sudo apt-get install google-chrome-stable


DISABLE IPV6
/etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
GRUB_CMDLINE_LINUX="ipv6.disable=1"
sudo update-grub

sudo vim /etc/sysctl.conf
# Add the following to bottom of file:
sudo sh -c "echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf" ;
sudo sh -c "echo 'net.ipv6.conf.default.disable_ipv6 = 1' >> /etc/sysctl.conf";
sudo sh -c "echo 'net.ipv6.conf.lo.disable_ipv6 = 1' >> /etc/sysctl.conf" ;
sudo sysctl -p


SSHD_CONFIG
/etc/ssh/sshd_config
AddressFamily=inet
X11Forwarding=no
PermitRootLogin=no

For publickey authentication only:
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes

DISABLE VMWARE PORT 902
1. In /etc/init.d/vmware

Comment out the line:
         vmware_exec 'VMware Authentication Daemon' vmware_start_authdlauncher
Add the following line:
         echo 'Skipping: VMware Authentication Daemon'

DISABLE SERVICES
sudo apt-get purge avahi-daemon avahi-utils
sudo apt-get purge whoopsie
sudo apt-get purge apport

sudo systemctl status

sudo service --status-all
sudo systemctl disable openvpn

sudo chmod -x /usr/libexec/evolution-addressbook-factory
sudo chmod -x /usr/libexec/evolution-calendar-factory
sudo chmod -x /usr/libexec/evolution-data-server/evolution-alarm-notify
sudo chmod -x /usr/libexec/evolution-source-registry


SSH KEY Generation
ssh-keygen -t rsa -b 4096
cat id_rsa.pub >> ~/.ssh/authorized_keys
sudo chmod 644 ~/.ssh/authorized_keys

/etc/ssh/sshd_config
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no


INSTALL DUO
Create /etc/apt/sources.list.d/duosecurity.list with the following contents:
for 18.04 (bionic)

sudo sh -c "echo 'deb http://pkg.duosecurity.com/Ubuntu bionic main' >> /etc/apt/sources.list.d/duosecurity.list"

curl -s https://duo.com/APT-GPG-KEY-DUO | sudo apt-key add -
sudo apt-get update && sudo apt-get install duo-unix

FIX CHROME REP ERRORS:
sudo vim /etc/apt/sources.list.d/google.list
#deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main
sudo apt-get update


PRINTER E250DN CUPS INSTALL
1) Choose App/Socket/HP JetDirect
2) socket://192.168.x.x whatever the IP address of your printer is. Do not add :9100


PIP
pip3 install --user --upgrade pip

MOZILLA OBSERVATORY
git clone https://github.com/mozilla/http-observatory.git
cd http-observatory
pip3 install --user --upgrade .
pip3 install --upgrade -r requirements.txt

./httpobs-local-scan github.com  --format report >> github.log
grep --colour=always -E '[0-9]| not implemented' github.log


CRYPTSETUP

sudo cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdx1

sudo cryptsetup luksDump /dev/sdx1

sudo cryptsetup luksOpen /dev/sdx1 luks_temp
sudo mkfs.ext4 /dev/mapper/luks_temp
sudo tune2fs /dev/mapper/luks_temp -m1

COMPILE NMAP
sudo apt install flex
sudo apt install bison
sudo apt install libssl-dev

# libnmap
pip3 install python-libnmap

SAMBA / CIFS
sudo mount -t cifs -o user=username,uid=uid_of_username,gid=gid_of_username //ip_or_hostname/sharename  /folder

sudo umount /folder

ATFTPD / ATFTP
sudo apt-get install atftpd
sudo mkdir /tftp
sudo chmod -R 777 /tftp
sudo chown -R nobody /tftp

# /etc/default/atftpd
USE_INETD=false
# OPTIONS below are used only with init script
OPTIONS="--tftpd-timeout 300 --retry-timeout 5 --mcast-port 1758 --mcast-addr 239.239.239.0-255 --mcast-ttl 1 --maxthread 100 --verbose=7 /tftp --logfile /var/log/atftp.log"

sudo touch /var/log/atftpd.log
sudo chmod 644 /var/log/atftpd.log

sudo systemctl enable atftpd
sudo systemctl restart atftpd

netstat -lnp | grep ":69 "


PARTED (format USB or Hard disk)
sudo parted -a optimal /dev/sdb
print
mklabel gpt (or msdos,mac,bsd)
mkpart exfat 0% 100%

sudo parted /dev/sdb align-check optimal 1   (1 is ths partition number, or use minimal)

sudo mkfs.exfat /dev/sdb1
	INITIAL PACKAGES TO INSTALL
	sudo apt update
	sudo apt install vim git ansible sshpass

	DNS CONFIG
	/etc/systemd/resolved.conf
	DNS=192.168.x.x 192.168.x.x
	(space delimited/separation between DNS server list)
	sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
	sudo systemctl restart systemd-resolved.service

	#get status:
	resolvectl \| grep -i "Current DNS"

	CONFIGURE UTC OFFSET
	sudo timedatectl set-timezone America/Vancouver

	NTP Configure
	edit /etc/systemd/timesyncd.conf
	NTP=192.168.x.x 192.168.x.x
	(space delimited/separation between NTP server list)
	sudo systemctl restart systemd-timesyncd.service

	#get status:
	timedatectl timesync-status
	timedatectl status
	timedatectl show-timesync


	DISABLE NOUVEAU (install nvida drivers)
	/etc/modprobe.d/blacklist.conf
	blacklist nouveau
	options nouveau modeset=0

	OR

	sudo bash -c "echo blacklist nouveau > /etc/modprobe.d/blacklist-nvidia-nouveau.conf"

	sudo bash -c "echo options nouveau modeset=0 >> /etc/modprobe.d/blacklist-nvidia-nouveau.conf"

	/etc/default/grub
	GRUB_CMDLINE_LINUX_DEFAULT="quiet splash ipv6.disable=1 nouveau.blacklist=1 "

	sudo update-initramfs -u
	sudo update-grub2

	NVIDIA DRIVERS FOR LAPTOP
	#sudo apt-get purge libvdpau-va-gl1 bumblebee* nvidia
	#sudo apt-get install nvidia-390 nvidia-settings nvidia-prime
	#sudo nvidia-settings

	NVIDIA DRIVERS AUTO INSTALL
	#sudo add-apt-repository ppa:graphics-drivers/ppa
	#sudo apt update
	#ubuntu-drivers devices
	#sudo ubuntu-drivers autoinstall

	NVIDIA DRIVERS MANUAL INSTALL
	sudo ubuntu-drivers devices
	sudo apt install gcc make
	sudo apt install nvidia-390 nvidia-settings

	HASHCAT
	#sudo apt install ocl-icd-* opencl-headers lsb-core
	sudo apt install ocl-icd-libopencl1 nvidia-cuda-toolkit
	nvidia-smi
	sudo reboot

	sudo add-apt-repository ppa:graphics-drivers/ppa
	sudo apt-get update
	sudo apt-get install mesa-common-dev freeglut3-dev
	sudo reboot


	UFW CONFIG
	sudo ufw limit proto tcp from 192.168.x.x/24 to any port 22
	sudo ufw limit 22/tcp

	sudo ufw status numbered
	sudo ufw delete <number>
	sudo ufw app list

	# /etc/ufw/ufw.conf
	IPV6=no
	# /etc/default/ufw
	IPV6=no


	GOOGLE CHROME INSTALL
	wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub \| sudo apt-key add -
	sudo sh -c 'echo "deb https://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
	sudo apt-get update
	sudo apt-get install google-chrome-stable


	DISABLE IPV6
	/etc/default/grub
	GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
	GRUB_CMDLINE_LINUX="ipv6.disable=1"
	sudo update-grub

	sudo vim /etc/sysctl.conf
	# Add the following to bottom of file:
	sudo sh -c "echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf" ;
	sudo sh -c "echo 'net.ipv6.conf.default.disable_ipv6 = 1' >> /etc/sysctl.conf";
	sudo sh -c "echo 'net.ipv6.conf.lo.disable_ipv6 = 1' >> /etc/sysctl.conf" ;
	sudo sysctl -p


	SSHD_CONFIG
	/etc/ssh/sshd_config
	AddressFamily=inet
	X11Forwarding=no
	PermitRootLogin=no

	For publickey authentication only:
	PasswordAuthentication no
	PermitEmptyPasswords no
	PubkeyAuthentication yes

	DISABLE VMWARE PORT 902
	1. In /etc/init.d/vmware

	Comment out the line:
	vmware_exec 'VMware Authentication Daemon' vmware_start_authdlauncher
	Add the following line:
	echo 'Skipping: VMware Authentication Daemon'

	DISABLE SERVICES
	sudo apt-get purge avahi-daemon avahi-utils
	sudo apt-get purge whoopsie
	sudo apt-get purge apport

	sudo systemctl status

	sudo service --status-all
	sudo systemctl disable openvpn

	sudo chmod -x /usr/libexec/evolution-addressbook-factory
	sudo chmod -x /usr/libexec/evolution-calendar-factory
	sudo chmod -x /usr/libexec/evolution-data-server/evolution-alarm-notify
	sudo chmod -x /usr/libexec/evolution-source-registry


	SSH KEY Generation
	ssh-keygen -t rsa -b 4096
	cat id_rsa.pub >> ~/.ssh/authorized_keys
	sudo chmod 644 ~/.ssh/authorized_keys

	/etc/ssh/sshd_config
	ChallengeResponseAuthentication no
	PasswordAuthentication no
	UsePAM no


	INSTALL DUO
	Create /etc/apt/sources.list.d/duosecurity.list with the following contents:
	for 18.04 (bionic)

	sudo sh -c "echo 'deb http://pkg.duosecurity.com/Ubuntu bionic main' >> /etc/apt/sources.list.d/duosecurity.list"

	curl -s https://duo.com/APT-GPG-KEY-DUO \| sudo apt-key add -
	sudo apt-get update && sudo apt-get install duo-unix

	FIX CHROME REP ERRORS:
	sudo vim /etc/apt/sources.list.d/google.list
	#deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main
	sudo apt-get update


	PRINTER E250DN CUPS INSTALL
	1) Choose App/Socket/HP JetDirect
	2) socket://192.168.x.x whatever the IP address of your printer is. Do not add :9100


	PIP
	pip3 install --user --upgrade pip

	MOZILLA OBSERVATORY
	git clone https://github.com/mozilla/http-observatory.git
	cd http-observatory
	pip3 install --user --upgrade .
	pip3 install --upgrade -r requirements.txt

	./httpobs-local-scan github.com --format report >> github.log
	grep --colour=always -E '[0-9]\| not implemented' github.log


	CRYPTSETUP

	sudo cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdx1

	sudo cryptsetup luksDump /dev/sdx1

	sudo cryptsetup luksOpen /dev/sdx1 luks_temp
	sudo mkfs.ext4 /dev/mapper/luks_temp
	sudo tune2fs /dev/mapper/luks_temp -m1

	COMPILE NMAP
	sudo apt install flex
	sudo apt install bison
	sudo apt install libssl-dev

	# libnmap
	pip3 install python-libnmap

	SAMBA / CIFS
	sudo mount -t cifs -o user=username,uid=uid_of_username,gid=gid_of_username //ip_or_hostname/sharename /folder

	sudo umount /folder

	ATFTPD / ATFTP
	sudo apt-get install atftpd
	sudo mkdir /tftp
	sudo chmod -R 777 /tftp
	sudo chown -R nobody /tftp

	# /etc/default/atftpd
	USE_INETD=false
	# OPTIONS below are used only with init script
	OPTIONS="--tftpd-timeout 300 --retry-timeout 5 --mcast-port 1758 --mcast-addr 239.239.239.0-255 --mcast-ttl 1 --maxthread 100 --verbose=7 /tftp --logfile /var/log/atftp.log"

	sudo touch /var/log/atftpd.log
	sudo chmod 644 /var/log/atftpd.log

	sudo systemctl enable atftpd
	sudo systemctl restart atftpd

	netstat -lnp \| grep ":69 "


	PARTED (format USB or Hard disk)
	sudo parted -a optimal /dev/sdb
	print
	mklabel gpt (or msdos,mac,bsd)
	mkpart exfat 0% 100%

	sudo parted /dev/sdb align-check optimal 1 (1 is ths partition number, or use minimal)

	sudo mkfs.exfat /dev/sdb1