pppfz

Recently, my server has been overloaded because of insufficient disk space (in fact, this problem has existed for a long time, but I haven't made up my mind to fix it). This time, when I was backing up the service, it was overloaded, so I decided to reinstall the system, carefully adjust some configurations, and record some processes for future reference.

1. Update Components and Package Management#

To update software packages on Ubuntu, you can use the following commands:

• Not recommended, takes too long to install

apt update && apt upgrade -y 

• Recommended alternatives

sudo apt update  # This command updates the package list, letting the system know which packages can be updated.
sudo apt upgrade --only-upgrade # This command installs all available software package updates.

2. Common Tools#

1. VIM Editor#

• Check if VIM is installed (I prefer to use the VIM editor, but Ubuntu comes with nano by default)

vim --version

• If it is not installed, use the following command to install it

apt install vim 

• Configure VIM as the default system editor.
  • It's simple, just execute this command and choose Vim. From now on, whenever the editor is automatically called, Vim will be used.

sudo update-alternatives --config editor

2. Install command-not-found#

Many server providers may offer a stripped-down version of Ubuntu, so some useful command-line tools may not be pre-installed. For example, command-not-found can prompt you with the corresponding but not installed package when you enter a command.

sudo apt install command-not-found

After installation, it will be more convenient to use the command line.

3. Add Regular User#

adduser {your-username}  {your-password}
visudo

Add the line ubuntu ALL=(ALL) NOPASSWD: ALL under User Privilege Specification.

• Verify if the addition is successful

su - newuser   # Switch to the new user
ls /root       # List files in the /root directory (cannot be viewed without root privileges)
sudo ls /root  # Grant root privileges to the regular user (now you have permission to see it)
exit           # Exit

4. Firewall Configuration#

To open ports 22, 80, and 443 on Ubuntu using ufw (Uncomplicated Firewall), you can follow these steps:

1. Check if ufw is installed:

   • If ufw is not installed, you can install it using the following command: sudo apt install ufw

2. Open ports:

   • Open port 22: sudo ufw allow 22
   • Open port 80: sudo ufw allow 80
   • Open port 443: sudo ufw allow 443

3. Enable the firewall:

   • Enable the ufw firewall: sudo ufw enable

4. Check the configuration:

   • You can run sudo ufw status to check the status of the firewall and the open ports.

Reference articles:

• https://blog.csdn.net/qq_53679247/article/details/128374607

5. Configure SSH Login and SSH Server Security Settings#

• Generate SSH key pair on the Windows side

ssh-keygen -t rsa -f ~/.ssh/id_rsa_xxxx  

• Create the authorized_keys file in the user directory and paste the content of the public key (ending with .pub) into the authorized_keys file.

mkdir -p ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

• Disable root login
  • Find the line PermitRootLogin Yes and change the setting value after it to no.

vim /etc/ssh/sshd_config

As follows:

PermitRootLogin no

• Set PasswordAuthentication to no to disable password login for better security:

PasswordAuthentication no

• Change the SSH port number to a different number. Note that after changing to another port, remember to update the firewall settings.

Port {SSH port number, preferably above 10000}

Finally, restart the SSH server to take effect:

sudo systemctl restart sshd.service

6. Custom Shell Interface Installation#

• Install oh-my-zsh

sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"

• For other themes, plugins, and configurations, refer to:
  • https://www.hackerneo.com/blog/dev-tools/better-use-terminal-with-zsh

7. Docker Configuration#

1. Install Docker#

• Official website: https://docs.docker.com/install/linux/docker-ce/ubuntu/

• First, install the basic environment:

sudo apt install \
        apt-transport-https \
        ca-certificates \
        curl \
        software-properties-common

• Then install the key:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

• Add the Docker official repository:

sudo add-apt-repository \
     "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
     $(lsb_release -cs) \
     stable"

• Finally, install Docker. I usually also install Docker Compose at the same time.

sudo apt update
sudo apt install docker-ce docker-compose

• After installing Docker, remember to add the current user to the docker group (if you don't want to use sudo every time you use Docker)

sudo gpasswd docker -a username

2. Docker Log Management#

Global Configuration for Log Size Limit

• Create or modify the file /etc/docker/daemon.json and add the following configuration (3 log files, each with a size of 10M).

{
        "log-driver": "json-file",
        "log-opts": {
                "max-file": "3",
                "max-size": "10m"
        }
}

• Then restart the Docker service

sudo systemctl daemon-reload
sudo systemctl restart docker

However, this will not take effect on existing containers and they need to be rebuilt!

Log Size Limit for Individual Containers

• Write it in docker-compose

logging:
  driver: json-file
  options:
    max-size: "100m"
    max-file: "3"

8. Swap Configuration#

swapoff -a   # Delete the original partition
dd if=/dev/zero of=/root/swapfile bs=1M count=1024  # Configure the size of the new partition
mkswap /root/swapfile    
swapon /root/swapfile

• Finally, set it to start automatically: You can edit the /etc/fstab file and change the last line to: /root/swapfile swap swap defaults 0 0

Reference articles:

• https://skywt.cn/blog/changeswap/

9. Logrotate Log Size Limit#

sudo apt install logrotate
sudo apt install cron

/var/log/syslog
/var/log/mail.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/cron.log
{
        weekly  
        rotate 3
        maxsize 100M
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}

Reference articles:

• https://www.cnblogs.com/uglyliu/p/13206868.html
• https://wsgzao.github.io/post/logrotate/
• https://www.noisyfox.io/logrotate.html
• https://www.cnblogs.com/liujunjun/p/17924699.html
• https://nj.transwarp.cn:8180/?p=10556

10. Fail2ban IP Blocking#

https://aws.amazon.com/cn/blogs/china/open-source-tool-to-protect-ec2-instances-fail2ban/
https://github.com/fail2ban/fail2ban/issues/3420

11. Panel Installation - 1panel#

curl -sSL https://resource.fit2cloud.com/1panel/package/quick_start.sh -o quick_start.sh && sudo bash quick_start.sh

sudo apt autoremove docker-compose

Reference articles:

• https://blog.pppfz.com/posts/5.html

12. Regular Security Updates#

• Install unattended-upgrades to automatically update security upgrades.

With unattended-upgrades, you can automatically perform routine security-related updates on Ubuntu to keep the system secure.

sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

Reference materials:

• https://leonis.cc/sui-sui-nian/2023-11-11-necessary-config-of-new-server.html#ji-ben-she-zhi
• https://spenserj.com/posts/2013-07-15-securing-a-linux-server/
• https://www.ruanyifeng.com/blog/2014/03/server_setup.html
• https://blog.laoda.de/archives/vps-basic-configuration
• https://www.hackerneo.com/blog/dev-tools/better-use-terminal-with-zsh
• https://xtls.github.io/document/level-0/ch04-security.html

Original article:

https://blog.pppfz.com/posts/new-vps-common-setup.html