Guide for Preparing a Ubuntu/Debian Server (In My Own Experiences)

In short, I think there should be a “comprehensive” mean to get your server/box up and running from “zero to 100” so you can “get down to business” so to speak… So I made this up so I can get hopefully soon to receiving 6 cores/12 threads machine’s very basics up and running in minutes instead of hour(s). So I thought it might helps you do the same! :slight_smile:

I have used the following sources coupled with my personal experiences with running boxes/VPSes mainly for gaming purposes…
16 Commands to Check Hardware Information on Linux - BinaryTides, Eight ways to protect SSH access on your system, https://www.linode.com/docs/guides/securing-your-server/, https://www.tecmint.com/tuned-automatic-performance-tuning-of-centos-rhel-servers/ and https://haydenjames.io/linux-performance-almost-always-add-swap-space/

Setting aside as little as an hour should be plenty, being deaf and blind even so I got it done in within the hour.

Below are the steps I believe one should probably starts with when it comes to SSH security (“config” means you need to input said configurations)…

#Backup SSH configurations
cp /etc/ssh/sshd_config ~/sshd_config_original
#Configuring SSH banner for unauthorized notifiying
nano /etc/issue.net
"Warning! Authorized use only.
This server is the property of MyCompanyName.com"
#Enter SSH configuration
nano /etc/ssh/sshd_config
#Then find line reading "# no default banner path" and configures
Banner /etc/issue.net
#Restart SSH
systemctl restart sshd 
#Enter SSH configuration
nano /etc/ssh/sshd_config
#Find line reading "PermitEmptyPasswords" and change it to...
"PermitEmptyPasswords no"
#Restart SSH
systemctl restart sshd
#Create sudo user to replace "root" user for logins
adduser example_user
#Then that same user to the sudo "group"
adduser example_user sudo
#Exit current "root" session
exit
#Test login with limited user
ssh example_user@YOURIP
#Make sure you can still sudo to "root" still
sudo su
#Not allowing "root" to login through the network
nano /etc/ssh/sshd_config
"PermitRootLogin no"
#Restricting WHO can login, I would put it near the above configuration
AllowUsers example_user
#Putting sshd behind a non-standardized port
"#Run SSH on a non-standard port
#Port 22
Port yourporthereabove1024"
#Restarts SSH
systemctl restart sshd
#Configuring Keypair on Linux PC
ssh-keygen
#Pass key to machine now
ssh-copy-id -p configuredport example_user@YOURIP
#Testing ssh key connection
ssh example_user@IP
#Final configuration for SSH Security
nano /etc/ssh/sshd_config
"PasswordAuthentication no"
#Restart SSH once more
systemctl restart sshd

Next if you got a dedicated server, it might pays to make sure you actually got what the quote/agreements said what you would be working with…

#Checking General Hardware Configurations
sudo lshw -short
#Others may be needed for instance drives' details see https://www.binarytides.com/linux-commands-hardware-info/

Finally these are OS configurations that I always do before I install everything else (firewall, game panel, etc)

#Update OS
sudo apt update && sudo apt upgrade -y
#Install and Setup Automatic Updates 
sudo apt-get install unattended-upgrades 
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades 
sudo nano /etc/apt/apt.conf.d/20auto-upgrades 
"APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";"   
#Check Network Services 
sudo ss -atpu 
#Remove any Excess Services 
sudo apt purge package_name 
#Install Tuned 
sudo apt-get install tuned tuned-utils tuned-utils-systemtap 
#Tuned Setup 
sudo systemctl enable tuned 
sudo systemctl start tuned 
sudo systemctl status tuned
#To see profiles (really there actually quite a few out there now of days with good descriptors)
sudo tuned-adm list
#Then proceed accordingly  
sudo tuned-adm profile yourchoosenprofile 
sudo tuned-adm active 
#Conversative Swap Setup (for optimized performance where RAM isn't limited) 
sudo nano /etc/sysctl.conf 
"vm.swappiness= 10
vm.vfs_cache_pressure=50" 
#(if causing excessive RAM usages) Disabling Journaling, set to none for storage 
sudo nano /etc/systemd/journald.conf 
#Restarts the Journaling 
sudo systemctl restart systemd-journald.service 
#Set Timezone 
sudo timedatectl set-timezone America/New_York

Hope this helps you guys get up and running more consistently and quicker so you can get down to business sooner than later!

2 Likes

Updated this guidance based upon deploying my KVM backup VPS I had added the following to the post above…

  1. Added timing based on how long it took me to follow it through even on a less than perfect VPS (luckily it seems like tuned as well as swap reconfigurations might’ve already optimized it despites this). I expects it based upon this it should be easily done by anybody within the hour or less (as I got it done just under an hour even though I am deaf and blind).
  2. Removed “PublicKeyAuthorization yes” as that was already there.
  3. sudo ed the commands after the SSH hardening steps were followed (just so you can actually tests this on your own first).

Hope this further helps your usage of the guidance!