Ubuntu Server
The following assumes you have not enabled the root user, thus the use of 'sudo'. If you have enabled the root user you can ignore sudo.
Download
http://cdimage.ubuntu.com/releases/18.04/release/
Standard System Utilities
You can see the list of packages after install using tasksel...
sudo tasksel --task-package standard
List of packages...
telnet powermgmt-base ntfs-3g ubuntu-release-upgrader-core iputils-tracepath python3-update-manager groff-base python3-distupgrade bind9-host mtr-tiny bash-completion mlocate tcpdump geoip-database install-info irqbalance language-selector-common friendly-recovery command-not-found info hdparm man-db lshw update-manager-core apt-transport-https accountsservice command-not-found-data python3-commandnotfound time ltrace parted popularity-contest strace ftp ubuntu-standard lsof
Thanks - http://askubuntu.com/questions/766419/whats-in-standard-system-utilities-w-16-04-server
Create List Installed Packages To Install Later
sudo dpkg --get-selections > pkglist.txt
Then...
sudo apt-get install dselect sudo dpkg --set-selections < pkglist.txt sudo apt-get dselect-upgrade
https://www.ostechnix.com/create-list-installed-packages-install-later-list-centos-ubuntu/
Completely Automated Install
To do this, you need the package system-config-kickstart, but because this is a GUI program this will install WAY too much for a server. Therefore, we have to manually download the debian package file and install it by force.
Download the kickstart configurator package...
wget http://www.mirrorservice.org/sites/archive.ubuntu.com/ubuntu/pool/main/s/system-config-kickstart/system-config-kickstart_2.5.20-0ubuntu25_all.deb
Install it with force...
sudo dpkg --force-depends -i system-config-kickstart_2.5.20-0ubuntu25_all.deb
Now switch to root user...
sudo -i
Run the kickstart program with switches...
system-config-kickstart --generate ks.cfg
Edit the ks.cfg file to your liking.
http://askubuntu.com/questions/122505/how-do-i-create-a-completely-unattended-install-of-ubuntu
https://help.ubuntu.com/lts/installation-guide/i386/ch04s06.html
HOWTO: UPGRADE
Usual Routine
sudo apt-get update sudo apt-get check sudo apt-get --download-only upgrade sudo apt-get --simulate upgrade sudo apt-get --quiet upgrade sudo update-grub sudo update-initramfs -t -u sudo reboot
From 13.04
Edit the sources file...
sudo nano /etc/apt/sources.list
deb http://old-releases.ubuntu.com/ubuntu/ raring main restricted deb http://old-releases.ubuntu.com/ubuntu/ raring-updates main restricted deb http://old-releases.ubuntu.com/ubuntu/ raring universe deb http://old-releases.ubuntu.com/ubuntu/ raring-updates universe deb http://old-releases.ubuntu.com/ubuntu/ raring multiverse deb http://old-releases.ubuntu.com/ubuntu/ raring-updates multiverse deb http://old-releases.ubuntu.com/ubuntu/ raring-backports main restricted universe multiverse deb http://old-releases.ubuntu.com/ubuntu/ raring-security main restricted deb http://old-releases.ubuntu.com/ubuntu/ raring-security universe deb http://old-releases.ubuntu.com/ubuntu/ raring-security multiverse
Update the package list...
sudo apt-get update sudo apt-get check
Download the software first...
sudo apt-get --download-only dist-upgrade
Update the software...
sudo apt-get --simulate dist-upgrade sudo apt-get --quiet dist-upgrade
Double Check grub boot loader...
sudo update-grub sudo update-initramfs -k all -u sudo sync
Reboot...
sudo reboot
'apt-get upgrade' OR 'apt-get dist-upgrade'?
upgrade upgrade is used to install the newest versions of all packages currently installed on the system from the sources enumerated in /etc/apt/sources.list. Packages currently installed with new versions available are retrieved and upgraded; under no circumstances are currently installed packages removed, or packages not already installed retrieved and installed. New versions of currently installed packages that cannot be upgraded without changing the install status of another package will be left at their current version. An update must be performed first so that apt-get knows that new versions of packages are available.
dist-upgrade dist-upgrade in addition to performing the function of upgrade, also intelligently handles changing dependencies with new versions of packages; apt-get has a "smart" conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. So, dist-upgrade command may remove some packages. The /etc/apt/sources.list file contains a list of locations from which to retrieve desired package files. See also apt_preferences(5) for a mechanism for overriding the general settings for individual packages.
Thanks to AskUbuntu.com.
HOWTO: GENERAL:
Install Options
- Default Server = Server kernel + "Basic Ubuntu server" task packages
- Minimal System = Server kernel + no additional packages
- Minimal Virtual Machine = Virtual kernel + no additional packages
Thanks - http://askubuntu.com/questions/57336/minimal-system-or-minimal-virtual-machine-on-install
Size Swap File Partition - Suggested Sizes
- Systems with 4GB of ram or less require a minimum of 2GB of swap space
- Systems with 4GB to 16GB of ram require a minimum of 4GB of swap space
- Systems with 16GB to 64GB of ram require a minimum of 8GB of swap space
- Systems with 64GB to 256GB of ram require a minimum of 16GB of swap space
Thanks to Cyberciti.
HOWTO: DISABLE:
SystemD DNS Resolver
Disable the systemd-resolved service and stop it:
sudo systemctl disable systemd-resolved.service sudo service systemd-resolved stop
Put the following line in the [main] section of your /etc/NetworkManager/NetworkManager.conf:
dns=default
Delete the symlink /etc/resolv.conf
rm /etc/resolv.conf
Restart network-manager
sudo service network-manager restart
Thanks - https://askubuntu.com/questions/907246/how-to-disable-systemd-resolved-in-ubuntu
RAM Usage
Message Of The Day (MOTD)
sudo chmod a-x /etc/update-motd.d/* sudo rm -rfv /etc/update-motd.d/50-landscape-sysinfo sudo dpkg-reconfigure landscape-common sudo apt-get purge landscape-*
Thanks - http://askubuntu.com/questions/385072/how-set-the-message-of-the-day-motd-as-ubuntu-server
rtc error
Ubuntu Server tries to load the module 'rtc' on boot. This is no longer needed for newer hardwware.
Check to make sure your clock is correct...
sudo date && sudo hwclock
Just comment out the offending line from the modules configuration file. Might as well stop the printer driver as well!
sudo nano /etc/modules # lp # rtc
console-kit-daemon
To see how many are running:
sudo apt-get install psmisc pstree -cln
To get rid of the service you will need to first find its process ID:
ps aux| grep console-kit-daemon
Which should return something similar to:
root 1393 0.0 0.1 2091756 3940 ? Sl 11:04 0:00 /usr/sbin/console-kit-daemon --no-daemon
Where 1393 is the ID, to stop and remove it from start up:
pkill 1393 cp /usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service org.freedesktop.ConsoleKit.old rm /usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service
Thanks to AskUbuntu.
Clear Screen After Boot Before Login
Add --noclear to the getty options for the 1st terminal...
sudo nano /etc/init/tty1.conf exec /sbin/getty -8 38400 --noclear tty1
Console Screen Blanking
sudo setterm --blank 0
To make this change permanent, create a file called 'setterm.start' in the /etc/local.d/ folder.
sudo mkdir /etc/local.d sudo nano /etc/local.d/setterm.start setterm --blank 0 sudo chmod +x /etc/local.d/setterm.start
Control-Alt-Delete
NEW
sudo systemctl mask ctrl-alt-del.target sudo systemctl daemon-reload
Thanks - https://help.ubuntu.com/lts/serverguide/console-security.html
OLD
sudo mkdir /root/misc sudo mv -v /etc/init/control-alt-delete.conf /root/misc/
Low Resolution Console
sudo nano /etc/default/grub GRUB_HIDDEN_TIMEOUT_QUIET=false GRUB_TIMEOUT=10 GRUB_CMDLINE_LINUX_DEFAULT="noquiet nosplash nofb nomodeset" GRUB_TERMINAL=console sudo update-grub
IPv6 - Method 1
sudo nano /etc/default/grub GRUB_CMDLINE_LINUX="ipv6.disable=1" sudo update-grub
sudo nano /etc/netconfig #udp6 tpi_clts v inet6 udp - - #tcp6 tpi_cots_ord v inet6 tcp - -
sudo netstat -tln
IPv6 - Method 2
Easiest and safest method is to add configurations to the /etc/sysctl.conf file. To disable IPv6 using sysctl, Open the Ubuntu terminal and Perform the following steps:
Open the /etc/sysctl.conf file:
sudo nano /etc/sysctl.conf
Add the following lines at the end of the sysctl.conf file:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
An additional line is also required for each interface you want to disable IPv6:
net.ipv6.conf.<ifname>.disable_ipv6 = 1
So if the interface name is enp0s3, then:
net.ipv6.conf.enp0s3.disable_ipv6 = 1
Then save and exit nano.
To save the changes:
sysctl -p
The following command can be run to check the IPv6 status:
cat /proc/sys/net/ipv6/conf/all/disable_ipv6
If the output is 1 then IPv6 is disabled, the command will output 0 when IPv6 is enabled.
To re-enable IPv6 addresses, remove the above configuration from sysctl.conf and execute the sysctl -p command.
Thanks to Config Server Firewall
IPv6 - Method 3
Add blacklist ipv6 to /etc/modprobe.d/ipv6.conf and reboot.
sudo echo "blacklist ipv6" >>/etc/modprobe.d/ipv6.conf && sudo reboot
whoopsie
Whoopsie is Ubuntu's Error Reporting daemon, to disable it:
sudo service whoopsie stop sudo update-rc.d -f whoopsie remove sudo apt-get purge whoopsie
Service From Automatically Starting By Upstart
sudo echo "manual" | sudo tee /etc/init/SERVICE.override
Thanks - http://askubuntu.com/questions/19320/how-to-enable-or-disable-services
HOWTO: INSTALL:
Encrypted LVM on top of Software RAID
https://www.itfromscratch.com/install-ubuntu-server-12-04-with-encrypted-lvm-on-raid1
Software RAID
https://help.ubuntu.com/16.04/serverguide/advanced-installation.html
The Urban Penguin - Software Raid Tutorial
Things To Do After Initial Install:
sudo apt-get update sudo apt-get upgrade sudo apt-get install -y net-tools apt-transport-https bash-completion curl nano screen tree sudo reboot
Problems?
If you have used the CD to install, and are not able to complete the steps above, because it says you only have the lists on the CD to use, then the fix is below which edits the apt-getsources list of software...
sudo -i echo "deb http://gb.archive.ubuntu.com/ubuntu trusty main restricted" >/etc/apt/sources.list echo "deb http://gb.archive.ubuntu.com/ubuntu trusty-updates main restricted" >>/etc/apt/sources.list echo "deb http://gb.archive.ubuntu.com/ubuntu trusty universe" >>/etc/apt/sources.list echo "deb http://gb.archive.ubuntu.com/ubuntu trusty-updates universe" >>/etc/apt/sources.list
Now you can continue...
sudo apt-get update sudo apt-get upgrade sudo apt-get install -y apt-transport-https bash-completion curl nano screen tree sudo reboot
BASH Completion
sudo nano /etc/bash.bashrc if ! shopt -oq posix; then if [ -f /usr/share/bash-completion/bash_completion ]; then . /usr/share/bash-completion/bash_completion elif [ -f /etc/bash_completion ]; then . /etc/bash_completion fi fi
CPU Stepping
sudo apt-get install -y cpufrequtils sudo update-rc.d cpufrequtils defaults sudo cpufreq-info sudo grep 'MHz' /proc/cpuinfo
Network Time Protocol (NTP)
Ubuntu Bionic Beaver 18.04
The time package ntp is no longer needed.
NEW
sudo timedatectl status sudo systemctl status systemd-timesyncd
https://help.ubuntu.com/lts/serverguide/NTP.html
OLD
sudo apt-get -y install ntp ntpdate
To add or remove time servers edit the configuration file:
sudo nano /etc/ntp.conf pool uk.pool.ntp.org
Then reconfigure...
sudo dpkg-reconfigure tzdata sudo service ntp restart
Test...
date
Temperature Sensor Monitoring
sudo apt-get install lm-sensors sudo sensors-detect sudo service kmod start sudo update-rc.d kmod defaults sudo sensors coretemp-isa-0000 Adapter: ISA adapter Core 0: +41.0°C (high = +80.0°C, crit = +100.0°C) Core 1: +41.0°C (high = +80.0°C, crit = +100.0°C) smsc47b397-isa-0480 Adapter: ISA adapter fan1: 1037 RPM fan2: 0 RPM fan3: 0 RPM fan4: 1017 RPM temp1: +50.0°C temp2: +37.0°C temp3: +21.0°C temp4: -128.0°C
Uptime
uptimed
sudo apt-get install -y uptimed
tuptimed
sudo apt-get install -y git python cd /tmp sudo git clone https://github.com/rfrail3/tuptime.git cd tuptime sudo chmod +x tuptime-install.sh sudo ./tuptime-install.sh
Thanks to Cyberciti.
Linux Dash
Follow this article.
HOWTO: FIX:
Repositories
For 18.04 onwards:
sudo add-apt-repository universe sudo add-apt-repository restricted sudo add-apt-repository multiverse
Supported Packages
sudo ubuntu-support-status
Daily Cron Error
If you receive the following error:
/etc/cron.daily/apt: DB Update failed, database locked
Try uninstalling the following package:
sudo apt-get remove apt-xapian-index
Thanks to Porotal.org.
Enable IP Forwarding On Reboot
sysctl -w net.ipv4.ip_forward=1 nano /etc/sysctl.conf net.ipv4.ip_forward = 1
Thanks - http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/
Cannot Reboot Or Shutdown Hangs Stops
This is to be used as a last resort... but it may just save your skin.
sudo echo 1 > /proc/sys/kernel/sysrq sudo echo b > /proc/sysrq-trigger
Blank Screen Unsupported Video Options
- Hold RIGHT SHIFT down during CD boot
- Press F6 to choose Advanced Options
- Press ESC
- Use the arrow keys to move along the Boot line
- Change the ==vga=== number to ==769==
Thanks to Wikipedia
Failed to connect to system bus ERROR
You may see these error messages in ==/var/log/auth.log==...
Feb 5 15:38:02 hostname proftpd: pam_systemd(proftpd:session): Failed to connect to system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
To fix it, make sure you add the dbus service to system startup, and then restart the services...
sudo update-rc.d dbus defaults sudo service dbus restart sudo service proftpd restart
Thanks to Gentoo
MEI Kernel Error Messages
"The Intel Management Engine (Intel ME) is an isolated and protected computing resource (Co-processor) residing inside certain Intel chipsets. The Intel ME provides support for computer/IT management features. The feature set depends on the Intel chipset SKU."
Thansk to Kernel.org
But this might not be needed if the hardware does not support it, and you will get the following errors in your kernel logs...
kernel: [258168.036048] mei 0000:00:03.0: unexpected reset: dev_state = RESETING
Edit the ==/etc/modprobe.d/blacklist.conf== file and add the following line...
# fix unwanted intel kernel messages blacklist mei
...then reboot.
User Is Not In The Sudoers File Stuck Help
http://www.maketecheasier.com/fixing-sudo-error-in-ubuntu/
Samba Error: no talloc stackframe at ../source3/param/loadparm.c:4864, leaking memory
sudo pam-auth-update
Untick "SMB password synchronization"
Thanks to Ubuntu Forums.
HOWTO: LIST:
SystemD Timers
sudo systemctl list-timers
If Packages Or System Needs Restart
sudo apt-get install needrestart sudo needrestart
Thanks - https://www.cyberciti.biz/faq/how-to-find-out-if-my-ubuntudebian-linux-server-needs-a-reboot
Recently Installed Packages
sudo apt list --installed
or
sudo cat /var/log/dpkg.log* |grep ' installed' |sort -k1
Running Daemons With IPv4 And IPv6
sudo apt-get-y install lsof sudo lsof -i -n -P
Startup Services
sudo apt-get install dialog rcconf sudo rcconf
sudo initctl list |sort sudo service --status-all sudo ls -lah /etc/rc*
HOWTO: SET:
Locale
en_GB.UTF-8
en_US.UTF-8
locale -a localectl status cat /etc/default/locale sudo dpkg-reconfigure locales sudo reboot
https://lintut.com/how-to-set-up-system-locale-on-ubuntu-18-04/
If the above does not work, and you still have loads of unwanted locales, then perform the following steps manually...
- Edit the locale file(s) in /var/lib/locales/supported.d/, and remove all unneeded locales (one locale per line)
- Create and edit /etc/default/locale (see above for an example)
- Delete all generated locale data
- Re-generate new locales
sudo nano /var/lib/locales/supported.d/en sudo nano /etc/default/locale sudo rm -rfv /usr/lib/locale/* sudo locale-gen
IP Address On Login Screen
sudo echo "My IP Address: \4" >>/etc/issue
Hostname
sudo hostnamectl set-hostname webserver.mydomain.com
Touch Booted and Rebooted Files
sudo nano /etc/rc.local touch /booted exit 0
sudo nano /etc/init.d/rebooted #!/bin/sh touch /rebooted
sudo chmod +x /etc/init.d/rebooted
cd /etc/rc6.d/ sudo ln -s ../init.d/rebooted K00rebooted
Passwordless sudo
sudo nano /etc/sudoers ALL ALL = (ALL) NOPASSWD: ALL
Application To Start On Boot
nano /etc/rc.local
Better Log Files
Edit the following file to match content below:
sudo nano /etc/rsyslog.d/50-default.conf cron.* /var/log/cron.log #mail.info -/var/log/mail.info #mail.warn -/var/log/mail.warn #mail.err /var/log/mail.err #news.crit /var/log/news/news.crit #news.err /var/log/news/news.err #news.notice -/var/log/news/news.notice # # Some "catch-all" log files. # *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages #daemon.*;mail.*;\ # news.err;\ # *.=debug;*.=info;\ # *.=notice;*.=warn |/dev/xconsole #
Getty Terminals
Reduce the number of terminals to 2...
sudo mkdir /root/misc sudo mv -v /etc/init/tty{3,4,5,6}.conf /root/misc/
sudo nano /etc/default/console-setup ACTIVE_CONSOLES="/dev/tty[1-2]"
and
sudo nano /etc/systemd/logind.conf NAutoVTs=2
and
sudo nano /lib/systemd/system/getty.target.wants/getty-static.service
from this...
ExecStart=/bin/systemctl --no-block start getty@tty2.service getty@tty3.service getty@tty4.service getty@tty5.service getty@tty6.service
to this...
ExecStart=/bin/systemctl --no-block start getty@tty2.service
Thanks - http://unix.stackexchange.com/questions/56531/how-to-get-fewer-ttys-with-systemd
Root User
sudo su sudo passwd root
You will prompted to enter and confirm the password for 'root'. After which you will be able to log in the root user and have full privileges without having to type 'sudo' at the beginning of each line.
Normal User
sudo useradd -c "John Smith" -s /bin/bash -m jsmith sudo passwd jsmith
Elevate User To Root
sudo gpasswd -a jsmith sudo sudo gpasswd -a jsmith adm
Static IP Address
18.04
In Ubuntu 18.04 network configuration is managed by Netplan...
https://arador.com/how-to-configure-a-static-ip-address-in-ubuntu-18-04/
sudo netplan generate
sudo nano /etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system # For more information, see netplan(5). network: version: 2 renderer: networkd ethernets: ens33: dhcp4: no dhcp6: no addresses: [192.168.1.2/24] gateway4: 192.168.1.1 nameservers: addresses: [8.8.8.8,8.8.4.4]
sudo netplan apply
WIRELESS
network: version: 2 renderer: networkd wifis: wlp2s0: dhcp4: no dhcp6: no addresses: [192.168.1.2/24] gateway4: 192.168.1.1 nameservers: addresses: [8.8.8.8,8.8.4.4] access-points: SSIDNAME: password: thisismypassword
16.04
sudo nano /etc/network/interfaces
Edit the file to read (this example uses 192.168.0.100 for the system and Google's DNS servers):
For a single network card system...
# ONE CARD # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto em1 iface em1 inet static address 192.168.0.1 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.254 dns-nameservers 208.67.222.222 208.67.222.220 8.8.8.8 8.8.4.4 ## post-up route del -net 169.254.0.0 netmask 255.255.0.0
For a dual network card system, using Shoreline Firewall (Shorewall)...
# TWO CARDS # The loopback network interface auto lo iface lo inet loopback # The inside network interface auto em2 iface em2 inet static address 192.168.0.1 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 dns-nameservers 127.0.0.1 dns-search domain.com # The outside network interface auto em1 iface em1 inet static address 10.0.0.1 netmask 255.255.255.0 network 10.0.0.0 broadcast 10.0.0.255 gateway 10.0.0.2
Save and close the file, then restart the network:
sudo /etc/init.d/networking restart
Edit the 'hosts' file:
sudo nano /etc/hosts
Edit the file to read (server2 used for this example):
127.0.0.1 localhost.localdomain localhost 192.168.0.100 server1.example.com server1
Then run:
sudo echo server1.example.com > /etc/hostname sudo /etc/init.d/hostname.sh restart
Check the configuration:
hostname hostname -f
Both of the above commands should return:
server1.example.com
Time Zone And Date
sudo apt-get install ntp sudo dpkg-reconfigure tzdata
HOWTO: RUN:
Automated Package List Updates But Not Install
Install the software...
sudo apt-get install cron-apt sudo nano /etc/cron-apt/config MAILON="always" MAILTO="me@myemail.com"
Read more about the software in the README...
less /usr/share/doc/cron-apt/README.gz
Thanks to Debian Administration Org.
Command On System Startup As Another User
sudo nano /etc/rc.local # mpdscribble su -c 'mpdscribble' username & # exit (the line below must be the last line in the file) exit 0
Thanks to AskUbuntu.
Force Filesystem Check On Reboot
sudo touch /forcefsck sudo reboot
HOWTO: SSH:
Install Server
sudo apt-get install ssh openssh-server
Copy Public Key To Server
ssh-copy-id -i ~/.ssh/id_rsa.pub username@192.168.0.x
Secure
To get it "Tight as a duck's a***"...
Levels
- Port Number
- Firewall Rules
- TCP Wrappers
- SSH Daemon Configuration
User --> Non Standard Port --> Firewall Check --> TCP Wrapper Check --> SSH Configuration Check --> Logged In
Files
==> /etc/hosts <== 127.0.0.1 localhost.localdomain localhost 10.0.0.1 server1.domain.co.uk server1 12.345.678.90 www.domain.co.uk ==> /etc/hosts.allow <== ALL: 10.0.0.0/24 imap: ALL sshd: 123.456.789 ==> /etc/hosts.deny <== ALL: ALL
Testing
tcpdmatch sshd 123.456.789 client: address 123.456.789 server: process sshd access: granted
Thanks to Bodhizazen Net. & Cyberciti
Speed Up Logins
Server Side
Turn off the DNS lookups...
sudo nano /etc/ssh/sshd_config UseDNS no
Turn off the MOTD (Message Of The Day)...
touch ~/.hushlogin
Client Side
Turn off IPv6...
sudo nano ~/.ssh/config Host * AddressFamily inet
HOWTO: DNS
sudo apt-get install dnsutils dnsmasq service dnsmasq stop sudo nano /etc/default/dnsmasq IGNORE_RESOLVCONF=yes sudo nano /etc/dnsmasq.conf resolv-file=/etc/dnsmasqresolv.conf domain=domain.uk.com sudo nano /etc/dnsmasqresolv.conf nameserver 208.67.222.222 # OpenDNS nameserver 208.67.222.220 # OpenDNS nameserver 8.8.8.8 # Google nameserver 8.8.4.4 # Google sudo nano /etc/hosts # Delete the contents of the file and add the following to match your server details. 127.0.0.1 localhost.localdomain localhost 192.168.0.1 server.domain.uk.com server sudo service dnsmasq restart netstat -nap |grep 'dnsmasq' dig dig @localhost test.domain.uk.com dig @localhost test dig @localhost www.google.co.uk
...as per this page - DNS#HOWTO:_Local_Network_Fast_Caching_Name_Server_.2B_DHCP_Server_Using_DNSMasq
HOWTO: DHCP
sudo nano /etc/dnsmasq.conf dhcp-range=192.168.0.50,192.168.0.99,12h dhcp-host=e8:03:9a:ed:65:56,paul-laptop,192.168.0.103,12h dhcp-option=router,192.168.0.1 dhcp-option=ntp-server,192.168.0.1 dhcp-option=dns-server,192.168.0.1
HOWTO: FILE SERVER: SAMBA
sudo apt-get install samba samba-client sudo service smbd stop sudo service nmbd stop sudo nano -w /etc/samba/smb.conf [global] workgroup = BLOGGS server string = Samba Server %v netbios name = SERVER1 map to guest = Bad User passdb backend = smbpasswd log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No domain master = No dns proxy = No printing = bsd [shared] comment = Shared file space path = /home/samba/shared force user = nobody force group = nogroup read only = No guest ok = Yes create mask = 0775 force create mode = 0775 directory mask = 0775 force directory mode = 0775 mkdir -p /home/samba/shared chown -R nobody /home/samba/shared chgrp -R nogroup /home/samba/shared touch /etc/printcap smbpasswd -a jbloggs testparm -s service smbd start service nmbd start smbstatus smbtree # You will be asked for root's password, ignore this and just press enter smbclient -U jbloggs -L //SERVER1/
HOWTO: MAIL SERVER:
INSTALL: Virtual Users Using Postfix And Dovecot With Security
sudo -i groupadd vmail -g 2222 useradd vmail -r -g 2222 -u 2222 -d /var/vmail -m -c "VMail User" sudo apt-get -y install postfix (no configuration) cd /etc/postfix/ touch aliases touch generic touch header_checks touch main.cf touch relay_recipients touch sender_access touch vmail_aliases touch vmail_domains touch vmail_mailbox nano generic postmap generic nano main.cf >master.cf nano master.cf nano relay_recipients postmap relay_recipients nano sender_access postmap sender_access nano vmail_aliases postmap vmail_aliases nano vmail_domains postmap vmail_domains nano vmail_mailbox postmap vmail_mailbox service postfix stop
INSTALL: Slim Email Server - Sent To Another Server's Mail Hub
http://wiki.indie-it.com/index.php?title=SSMTP
INSTALL: Basic Email Server - Part I - Procmail + Postfix + Mutt
Set the System Wide Maildir Email Directory...
sudo nano /etc/bash.bashrc MAIL=$HOME/.maildir/
Install the software...
sudo apt-get install procmail postfix mutt
Postfix Configuration > Mailer Type > Internet Site with Smarthost > Domain Name = server1.domain.com > SMTP Relay = auth.smtp.1and1.co.uk
Configure the software...
sudo nano /etc/procmailrc # Use maildir-style mailbox in user's home directory DEFAULT=$HOME/.maildir/ # Log actions to file LOGFILE=/var/log/procmail.log # Log synopsis of messages LOGABSTRACT=all # Be verbose VERBOSE=no
sudo nano /etc/postfix/main.cf smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = server2.domain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = server2.domain.com, server2, domain.com, localhost.localdomain, localhost mynetworks = 127.0.0.0/8 192.168.0.0/24 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = 127.0.0.1, 192.168.0.171 inet_protocols = ipv4 header_checks = regexp:/etc/postfix/header_checks smtp_generic_maps = hash:/etc/postfix/generic smtp_sasl_auth_enable = yes relayhost = [auth.smtp.1and1.co.uk]:587 smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_password smtp_sasl_security_options = noanonymous
Create the SASL password file...
sudo nano /etc/postfix/sasl/sasl_password [my.smtp.host.co.uk] me@myemailaccount.com:passW0rD
Lock down permissions...
sudo chmod 0600 /etc/postfix/sasl/sasl_password
Hash the file...
sudo postmap hash:/etc/postfix/sasl/sasl_password
Create the Postfix generic maps file...
sudo nano /etc/postfix/generic root@myhostname.localdomain me@myemailaccount.com user1@myhostname.localdomain me@myemailaccount.com user2@myhostname.localdomain me@myemailaccount.com
Hash the file...
sudo postmap hash:/etc/postfix/generic
Copy the supporting files to the Postfix working directory...
sudo cp -av /etc/hosts /var/spool/postfix/etc/ sudo cp -av /etc/services /var/spool/postfix/etc/ sudo cp -av /etc/localtime /var/spool/postfix/etc/ sudo cat /etc/resolv.conf > /var/spool/postfix/etc/resolv.conf
Create the header checks file for later (with MailScanner)...
sudo touch /etc/postfix/header_checks
Fix the aliases file for root's email...
sudo nano /etc/aliases root: regularuser sudo newaliases
Restart Postfix...
sudo postfix stop sudo postfix start
Install heirloom-mailx and mutt...
sudo apt-get install -y heirloom-mailx mutt
Configure system wide settings...
sudo nano -w /etc/Muttrc ## tweaks set mbox_type=maildir set editor="nano" # I like to see all my mail headers in my editor: set edit_headers=yes # don't wait for sendmail to finish (this runs sendmail in the background) set sendmail_wait=-1 # this prevents Mutt from endlessly asking when you quit: # "Move read messages to ~/mbox? ([no]/yes):" set move=no # this prevents Mutt from endlessly asking: # "~/Mail does not exist. Create it? ([yes]/no):" set folder=""
Send test email message...
mail me@myemailaccount.com Subject: test Cc: message .
INSTALL: Basic Email Server - Part II - Fetchmail
sudo apt-get install fetchmail sudo useradd -c "Server Postman" -d /home/postman -s /bin/bash -m postman sudo passwd postman su - postman cd touch fetchmail.log nano ~/.fetchmailrc set daemon 600 set logfile /home/postman/fetchmail.log set no bouncemail set postmaster postman poll pop.1and1.co.uk protocol pop3 uidl localdomains domain.com username "mailbox@domain.com" password "mypassword" is root here fetchall preconnect "date >> /home/postman/fetchmail.log"
chmod 0700 ~/.fetchmailrc exit
su - postman cd nano fmcheck #!/bin/bash # # fmcheck # # Script to check if the fetchmail daemon is running # EXPRESSION='fetchmail' ps -U postman | grep $EXPRESSION if [ $? -eq 0 ]; then echo "$EXPRESSION process running" else echo "$EXPRESSION process not running" fetchmail --quit sleep 3 fetchmail --limit 30000000 echo "$EXPRESSION process running" fi chmod +x fmcheck
fetchmail --version --check --verbose ./fmcheck
sudo crontab -e -u postman */20 * * * * ~/fmcheck &>/dev/null
INSTALL: Basic Email Server - Part III - MailScanner + ClamAV + SpamAssassin + DCC + Razor + Pyzor
Make sure you have enough free memory for this, and create a swapfile if needed!
https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04
.
Switch to root first. You have a LOT to do here...
sudo -i
Install Clam AntiVirus and SpamAssassin first...
sudo apt-get install -y -v clamav clamav-daemon spamassassin sudo service spamassassin stop update-rc.d -f spamassassin remove sudo nano /etc/clamav/freshclam.conf DatabaseMirror db.GB.clamav.net sudo freshclam sudo sa-update sudo clamscan --version sudo spamassassin --version
Now switch to root home directory and install the latest MailScanner from the Ubuntu DEB version...
cd mkdir misc cd misc wget https://s3.amazonaws.com/mailscanner/release/v4/deb/MailScanner-4.85.2-3.deb.tar.gz tar -xzvf MailScanner-4.85.2-3.deb.tar.gz cd MailScanner-install-4.85.2/ ./install.sh
Install the link for the old version...
ln -s /opt/MailScanner/bin/check_mailscanner /usr/sbin/
Now add some MailScanner jobs to root's crontab...
crontab -e # mailscanner 0 0 * * * /root/bin/mailscanner_archive.sh &>/dev/null 37 5 * * * /usr/sbin/update_bad_phishing_sites &>/dev/null 07 * * * * /usr/sbin/update_bad_phishing_sites &>/dev/null 42 * * * * /usr/sbin/update_virus_scanners &>/dev/null 3,23,43 * * * * /usr/sbin/check_mailscanner &>/dev/null
Configure the main MailScanner configuration file...
nano /etc/MailScanner/MailScanner.conf %org-name% = mydomain %org-long-name% = Company Name %web-site% = www.mydomain.com Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine MTA = postfix Incoming Work User = Incoming Work Group = clamav Incoming Work Permissions = 0640 Virus Scanners = clamd Clamd Port = 3310 Clamd Socket = /var/run/clamav/clamd.ctl Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = no Mail Header = X-%org-name%-MailScanner-VirusCheck: Information Header = X-%org-name%-MailScanner-Information: Information Header Value = MailScanner Version 4.84.6 Always Include SpamAssassin Report = yes Archive Mail = /home/MailScanner/archive/_DATE_/messages Missing Mail Archive Is = file Use SpamAssassin = yes Required SpamAssassin Score = 5 Log Spam = yes
Install some extra PERL modules...
sudo apt-get install libdbi-perl libdbd-sqlite3-perl libfilesys-df-perl libio-stringy-perl libnet-cidr-perl libsys-sigaction-perl libmime-tools-perl libarchive-zip-perl libole-storage-lite-perl
Check that it works so far...
sudo /usr/sbin/MailScanner --version
Create some more directories for ClamAV, Postfix and MailScanner to work together...
chown postfix /var/spool/postfix/ mkdir /var/spool/MailScanner/spamassassin/ chown -R postfix:postfix /var/spool/MailScanner/* chmod -R g+w /var/spool/MailScanner/* chgrp -R clamav /var/spool/MailScanner/incoming/ find /var/spool/MailScanner/incoming/ -type d -exec chmod 0770 {} \; find /var/spool/MailScanner/incoming/ -type f -exec chmod 0664 {} \;
Create the MailScanner archiving script...
mkdir /root/bin nano /root/bin/mailscanner_archive.sh #!/bin/bash ARCHIVE=/home/MailScanner/archive DIRNAME=$( date +%Y%m%d ) MESSAGES=messages /usr/bin/logger -p 'mail.info' Checking for MailScanner message archive... if [ -f $ARCHIVE/$DIRNAME/$MESSAGES ] ; then echo "$ARCHIVE/$DIRNAME/$MESSAGES exists." else mkdir -p $ARCHIVE mkdir -p $ARCHIVE/$DIRNAME touch $ARCHIVE/$DIRNAME/$MESSAGES chown -R postfix:postfix $ARCHIVE/ chmod g+w $ARCHIVE/$DIRNAME/$MESSAGES echo "$ARCHIVE/$DIRNAME/$MESSAGES created." fi
Make the script executable...
chmod 0700 /root/bin/mailscanner_archive.sh
Run the MailScanner archiving script...
/root/bin/mailscanner_archive.sh
Fix the AppArmor bug for ClamAV...
sudo usermod -a -G www-data clamav sudo nano /etc/apparmor.d/usr.sbin.clamd # mailscanner /var/spool/MailScanner/** rw, /var/spool/MailScanner/incoming/** rw, sudo /etc/init.d/apparmor reload
Change SpamAssassin settings...
nano /etc/MailScanner/spam.assassin.prefs.conf # use_auto_whitelist 0 bayes_ignore_header X-mydomain-MailScanner bayes_ignore_header X-mydomain-MailScanner-VirusCheck bayes_ignore_header X-mydomain-MailScanner-SpamCheck bayes_ignore_header X-mydomain-MailScanner-SpamScore bayes_ignore_header X-mydomain-MailScanner-Information envelope_sender_header X-mydomain-MailScanner-From bayes_path /var/spool/MailScanner/spamassassin/bayes bayes_file_mode 0660
Fix the missing link for MailScanner and SpamAssassin...
sudo ln -s /etc/MailScanner/spam.assassin.prefs.conf /etc/mail/spamassassin/mailscanner.cf
Initialise the Bayes databases...
cd /tmp/ sudo -u postfix -g postfix sa-learn --sync
Check that they are being used...
cd /tmp/ sudo -u postfix -g postfix sa-learn -D --dump magic
Mar 4 17:49:50.258 [10827] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks Mar 4 17:49:50.259 [10827] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen Mar 4 17:49:50.259 [10827] dbg: bayes: found bayes db version 3 0.000 0 3 0 non-token data: bayes db version 0.000 0 0 0 non-token data: nspam 0.000 0 0 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest atime 0.000 0 0 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count
ls -lah /var/spool/MailScanner/spamassassin/ -rw-rw---- 1 postfix postfix 12 2015-03-04 17:47 bayes.mutex -rw-rw---- 1 postfix postfix 12K 2015-03-04 17:47 bayes_seen -rw-rw---- 1 postfix postfix 12K 2015-03-04 17:47 bayes_toks
Tweak MailScanner virus scanning settings for ClamAV...
nano /etc/MailScanner/virus.scanners.conf clamav /usr/share/MailScanner/clamav-wrapper /usr #generic nano /usr/share/MailScanner/clamav-autoupdate $PackageDir = shift || "/usr";
Another tweak for Postfix file locking from unix to fifo...
nano /etc/postfix/master.cf pickup fifo n qmgr fifo n
Important setting for Postfix and MailScanner...
nano /etc/postfix/header_checks /^Received:/ HOLD
Final tweaks to users and groups...
usermod -a -G postfix clamav usermod -a -G clamav postfix usermod -a -G www-data postfix groups clamav groups postfix
Restart services...
service postfix restart service clamav-daemon restart
Final testing...
pkill MailScanner cd /tmp/ sudo -u postfix -g postfix /usr/sbin/MailScanner --lint
Add the boot startup script...
sudo nano /etc/rc.local # mailscanner /root/bin/mailscanner_archive.sh /usr/sbin/check_mailscanner exit 0
Go for launch...
service postfix restart pkill -HUP MailScanner /usr/sbin/check_mailscanner
Now, DCC. Download and install...
sudo -i cd /root/misc/ mkdir dcc cd dcc/ wget http://www.dcc-servers.net/dcc/source/dcc.tar.Z tar -xzvf dcc.tar.Z cd dcc-1.3.158/ ./configure make make install
Configure to use the always running daemon...
nano /var/dcc/dcc_conf DCCIFD_ENABLE=on
Create the automatic startup links and start dccifd...
cp /var/dcc/libexec/rcDCC /etc/init.d/adcc update-rc.d adcc defaults /etc/init.d/adcc start
Test if dccifd is running...
netstat -nap |grep 'dcc'
udp 0 0 0.0.0.0:52926 0.0.0.0:* 2599/dccifd unix 2 [ ACC ] STREAM LISTENING 70691 2598/dccifd /var/dcc/dccifd unix 2 [ ] DGRAM 70144 2599/dccifd
Enable the SpamAssassin DCC plugin...
nano /etc/mail/spamassassin/v310.pre loadplugin Mail::SpamAssassin::Plugin::DCC nano /etc/mail/spamassassin/mailscanner.cf ifplugin Mail::SpamAssassin::Plugin::DCC dcc_home /var/dcc dcc_dccifd_path /var/dcc/dccifd dcc_path /usr/local/bin/dccproc endif
Download a test spam email message and train spamassassin...
cd /root/misc/dcc wget http://www200.pair.com/mecham/spam/sample-spam.txt sa-learn --spam sample-spam.txt spamassassin -D dcc <sample-spam.txt
It should show...
dbg: dcc: connected to local socket /var/dcc/dccifd
All is good. Now restart MailScanner to use DCC...
pkill MailScanner /usr/sbin/check_mailscanner
Next, Razor...
cd sudo apt-get install -y razor rm /etc/razor/razor-agent.conf razor-admin -create razor-admin -register sed -i 's/= 3/= 0/' /root/.razor/razor-agent.conf cp -av .razor /var/spool/postfix/ chown -R postfix:postfix /var/spool/postfix/.razor/ chmod g+w /var/spool/postfix/.razor/ nano /etc/mail/spamassassin/v310.pre loadplugin Mail::SpamAssassin::Plugin::Razor2 cd /tmp/ sudo -u postfix -g postfix /usr/sbin/MailScanner --lint wget http://www200.pair.com/mecham/spam/sample-spam.txt spamassassin -D razor2 <sample-spam.txt cd pkill MailScanner /usr/sbin/check_mailscanner
Next, Pyzor...
sudo apt-get install -y pyzor pyzor discover cp -av .pyzor /var/spool/postfix/ chown -R postfix:postfix /var/spool/postfix/.pyzor/ chown postfix /var/spool/postfix/ which pyzor nano /etc/mail/spamassassin/v310.pre loadplugin Mail::SpamAssassin::Plugin::Pyzor nano /etc/mail/spamassassin/mailscanner.cf ifplugin Mail::SpamAssassin::Plugin::Pyzor pyzor_path /usr/bin/pyzor endif cd /tmp/ sudo -u postfix -g postfix /usr/sbin/MailScanner --lint wget http://www200.pair.com/mecham/spam/sample-spam.txt spamassassin -D pyzor <sample-spam.txt
Now restart MailScanner...
cd pkill MailScanner /usr/sbin/check_mailscanner
TWEAK: Sendmail (DEPRECATED)
sudo nano /etc/mail/sendmail.cf PrivacyOptions=noetrn DeliveryMode=queueonly QueueDirectory=/var/spool/mqueue.in
http://www.mailscanner.info/sendmail.html
SET: System Wide Maildir Email Directory
sudo nano /etc/bash.bashrc MAIL=$HOME/.maildir/
FIX: Dovecot Startup Script
cd /etc/init.d/ sudo ln -s /lib/init/upstart-job dovecot sudo update-rc.d dovecot defaults sudo service dovecot start
HOWTO: LAMP:
Linux, Apache, MySQL, PHP
sudo apt-get install apache2 sudo apt-get install mysql-server mysql-client sudo service mysql status sudo apt-get install php5 php5-mysql libapache2-mod-php5 sudo apt-get install phpmyadmin
Thanks to Unixmen.
HOWTO: NAGIOS 3:
Also see the dedicated wiki page Nagios3.
sudo apt-get install nagios3 nagios-nrpe-plugin sudo usermod -a -G nagios www-data sudo chmod -R +x /var/lib/nagios3/ sudo nano /etc/nagios3/nagios.cfg check_external_commands=1 sudo /etc/init.d/nagios3 restart sudo apt-get install nagios-nrpe-server nagios-plugins sudo nano /etc/nagios/nrpe.cfg allowed_hosts=127.0.0.1 192.168.0.171
Thanks to Unixmen.
HOWTO: MISCELLANEOUS
Test TCP Ports With Netcat
Start listening server...
netcat -l 80
Connect from your computer...
netcat serverIP 80
Type a cheery message...
hello
Check in listening server...
hello
Stop servers and close netcat...
CTRL+C
Increase your Linux server Internet speed with TCP BBR congestion control
Server Security Hardening
https://www.cyberciti.biz/tips/linux-security.html
Web Admin Control Panel
Canonical Livepatch Service
Apply critical kernel patches without rebooting.
https://www.ubuntu.com/server/livepatch
Encryption
USB Drive
Encryption TO BE DONE.
Daily Use
udisksctl unlock -b /dev/disk/by-uuid/c985c79b-69bb-4751-afef-b6333fd834ba udisksctl mount -b /dev/dm-0 udisksctl unmount -b /dev/dm-0 udisksctl lock -b /dev/disk/by-uuid/c985c79b-69bb-4751-afef-b6333fd834ba udisksctl power-off -b /dev/disk/by-uuid/c985c79b-69bb-4751-afef-b6333fd834ba
Thanks - https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage
Thanks - https://unix.stackexchange.com/questions/188553/mounting-luks-from-the-command-line
Full Hard Disk Drive
Dropbear SSH for InitramFS Boot
http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-partition-remotely-via-ssh/
$ apt-cache search dropbear openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remote machines dropbear - transitional dummy package for dropbear-{run,initramfs} dropbear-bin - lightweight SSH2 server and client - command line tools dropbear-initramfs - lightweight SSH2 server and client - initramfs integration dropbear-run - lightweight SSH2 server and client - startup scripts
Rotate Log Files Manually
savelog -l -n -p mail.log
Stress Testing
sudo apt-get install stress sudo stress --cpu 2 --io 1 --vm 1 --vm-bytes 128M --hdd 1 --timeout 10s
Thanks Cyberciti.
Backup Whole Entire System (less /home)
sudo -i cd / tar -cvpzf /backup.tar.gz --exclude=/backup.tar.gz --exclude=/home --one-file-system /