This is my personal note list for preparing a root server. The list is not complete and may contain errors.
Network setup
- Install OS as usual or use image from Control Panel
Network setup
- Set/check fixed ip
- Set the "Reverse DNS" entry in Control Panel
- Add local user
useradd <username>
usermod -aG sudo <username>
- Set hostname
sudo hostnamectl set-hostname <hostname>
- Edit the /etc/hosts file
- Edit the /etc/cloud/cloud.cfg file if exists (
preserve_hostname: false to true
)
- Edit the /etc/netplan/50-cloud-init.yaml
SSH
- Add pubkey to
~/.ssh/authorized_keys
- Disable SSH login with password and permit root login in
/etc/ssh/sshd_config
file
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
- Restart SSH Daemon
service sshd restart
VIM
- VIM Color open
~/.vimrc
and add
colorsheme desert
syntax on
Enable unattended upgrades
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
Docker
- Install docker-ce here
- Install docker-compose
sudo apt-get install docker-compose-plugin
Install docker-compose here
Install docker-compose command completion here
- add username to docker group (source)
sudo usermod -aG docker $USER
Logrotate for Docker
- Create Logrotate config file for Docker containers under
/etc/logrotate.d/docker-container
with the following content:
/var/lib/docker/containers/*/*.log {
rotate 8
weekly
compress
missingok
delaycompress
copytruncate
}
- Test it with:
logrotate -fv /etc/logrotate.d/docker-container
Docker Compose aliases
- Create or append to
~/.bash_aliases
:
alias dc='docker compose'
alias dcl='docker compose logs -f --tail=200'
alias dce='docker compose exec'
alias dcb='docker compose up --build -d'
alias dcu='docker compose up -d'
alias dcul='docker compose up -d && docker-compose logs -f --tail=50'
alias dcd='docker compose down --remove-orphans'
alias dcdu='docker compose down --remove-orphans && docker compose up -d'
alias dcdul='docker compose down --remove-orphans && docker compose up -d && docker compose logs -f --tail=50'
alias dcdb='docker compose down --remove-orphans && docker compose up --build -d'
alias dcdbl='docker compose down --remove-orphans && docker compose up --build -d && docker compose logs -f --tail=50'
Docker after dist upgrade
- Update key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
- Re-enable repo
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
- update the package database with the Docker packages from the newly added repo:
sudo apt-get update
- Make sure you are install from the Docker repo instead of the default Ubuntu repo:
apt-cache policy docker-ce
- upgrade packes
sudo apt-get install docker-ce docker-ce-cli containerd.io
- reboot
fail2ban
- Install fail2ban with
sudo apt-get install fail2ban
- Create config file
/etc/fail2ban/jail.local
and add a jail for the SSH Deamon
[sshd]
enabled = true
port = <ssh port>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
[traefik]
enabled = true
filter = traefik
logpath = /var/lib/docker/containers/*/*-json.log
banaction = docker-action
maxretry = 3
findtime = 900
bantime = 86400
[wplogin]
enabled = true
filter = wplogin
logpath = /var/lib/docker/containers/*/*-json.log
banaction = docker-action
maxretry = 3
findtime = 900
bantime = 86400
[unifi]
enabled = true
filter = unifi
logpath = /var/lib/docker/containers/*/*-json.log
banaction = docker-action
maxretry = 3
bantime = 86400
findtime = 900
- Creat filter for traefik
/etc/fail2ban/filter.d/traefik.conf
[Definition]
failregex = ^{"log":"<HOST> - \S+ \[.*\] \\"(GET|POST|HEAD) .+\" 401 .+$
ignoreregex =
- Create filter for wplogin
/etc/fail2ban/filter.d/wplogin.conf
[Definition]
failregex = ^{"log":"<HOST> -.*POST.*wp-login.php.*
ignoreregex =
- Create filter for unifi
/etc/fail2ban/filter.d/unifi.conf
[Definition]
failregex = ^{"log":"<HOST> - \S+ \[.*\] \\"POST \/api\/login.+\\" 400 .+$
- Create action
/etc/fail2ban/action.d/docker-action.conf
Unlike the out-of-the-box action, "actionban" and "actionunban" do not affect the INPUT chain, but the docker FORWARD chain "DOCKER".
[Definition]
actionstart = iptables -N f2b-docker
iptables -A f2b-docker -j RETURN
iptables -I FORWARD -p tcp -j f2b-docker
actionstop = iptables -D FORWARD -p tcp -j f2b-docker
iptables -F f2b-docker
iptables -X f2b-docker
actioncheck = iptables -n -L FORWARD | grep -q 'f2b-docker[ \t]'
actionban = iptables -I f2b-docker -s <ip> -j DROP
actionunban = iptables -D f2b-docker -s <ip> -j DROP
[via]https://www.the-lazy-dev.com/en/install-fail2ban-with-docker/[/via]