NEW Virtual Machine SETUP
Ssh into the server using any of the ssh keys that you enabled during the configuration setup step. For example, ssh root@162.x.x.x
Once you ssh into the server, update the software packages
apt update
apt upgrade -y
Disable password authentication
vim /etc/ssh/sshd_config
change Password authentication to no
PasswordAuthentication yes
to
PasswordAuthentication no
Disable Empty Passwords
PermitEmptyPasswords no
Install several packages that are necessary
apt install -y curl tmux zsh vim mosh unzip iftop vim net-tools nmap
apt install -y nload iotop htop
apt install -y git python python3 python3-pip
apt install -y ca-certificates
update-ca-certificates
curl https://rclone.org/install.sh | sudo bash
install unattended-upgrade packages to update only security packages
apt install unattended-upgrades
Install docker-compose
curl -L https://github.com/docker/compose/releases/download/1.26.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
cd /usr/local/bin && chmod 755 docker-compose
echo "export PATH=$PATH:/usr/local/bin" >> /root/.bashrc
Set time zone to India
timedatectl set-timezone Asia/Kolkata
add a new user as ubuntu
adduser --disabled-password ubuntu
add user to sudo group
adduser ubuntu sudo
edit visudo
visudo
add the following (for centos change name )
ubuntu ALL = NOPASSWD : ALL
save and exit
remove root login if required
vim /etc/ssh/sshd_config
edit the following line
PermitRootLogin yes
to
PermitRootLogin no
After changing, save and exit
keep another session open and restart the ssh or sshd service
systemctl restart sshd
systemctl restart ssh
Now all the next series of commands must be run as the newly created Ubuntu user
su - ubuntu
Download the script to install oh-my-zsh
wget https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh && chmod 755 install.sh
Install oh-my-zsh using the downloaded script:
/install.sh --unattended && rm -f install.sh
Inside the .zshrc file, change zsh theme to agnoster like below
vim .zshrc
ZSH_THEME="agnoster"
Inside the .zshrc file, add conf for zsh plugins:
plugins=(git docker docker-compose tmux common-aliases zsh-syntax-highlighting jsontools)
Clone extra repos for zsh plugins:
git clone https://github.com/zsh-users/zsh-autosuggestions ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions && git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ~/.oh-my-zsh/custom/plugins/zsh-syntax-highlighting
Update the default shell to zsh:
sudo usermod -s /bin/zsh centos
Update the default shell to zsh:
sudo usermod -s /bin/zsh centos
Log out from the ssh terminal completely and then ssh again.
su - ubuntu
Install docker:
sudo curl -fsSL https://get.docker.com/ | sh
Allow ubuntu user to use docker commands:
sudo usermod -aG docker ubuntu
Logout and Login again
su - ubuntu
sudo systemctl enable docker && sudo systemctl start docker
Setup basic firewall to manage ports (shorewall or iptables -persistent)
Iptables-Persistent
To see the rules on your system, you can use the following iptables command.
sudo iptables -L
Save iptables rules on DEB-based systems
install the iptables-persistent package using the apt package manager:
sudo apt install iptables-persistent
Any current iptables rules will be saved to the corresponding IPv4 and IPv6 files below:
/etc/iptables/rules.v4
/etc/iptables/rules.v6
To update persistent iptables with new rules simply use iptables command to include new rules into your system. To make changes permanent after reboot run iptables-save command:
sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6
To remove persistent iptables rules simply open a relevant /etc/iptables/rules.v* file and delete lines containing all unwanted rules.
Save iptables rules on RPM-based systems
install the iptables-services package using the yum or dnf package manager:
sudo yum install iptables-services
Any currently erected iptables rules will be saved to the corresponding IPv4 and IPv6 files below:
/etc/sysconfig/iptables
/etc/sysconfig/ip6tables
Make sure that you disable firewalld and enable the iptables service in systemd.
sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl start iptables
sudo systemctl enable iptables
You can then make sure that the service is running with the following command:
sudo systemctl status iptables
To update persistent iptables with new rules simply use iptables command to include new rules into your system. To make changes permanent after reboot run iptables-save command:
sudo iptables-save > /etc/sysconfig/iptables
sudo ip6tables-save > /etc/sysconfig/ip6tables
To remove persistent iptables rules simply open a relevant /etc/sysconfig/iptables or /etc/sysconfig/ip6tables file and delete lines containing all unwanted rules
Install fail2ban
The fail2ban system is an intrusion prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban will block access from that IP address.
To install fail2ban, open a terminal window and issue the command:
sudo apt install fail2ban
Within the directory /etc/fail2ban, you'll find the main configuration file, jail.conf. Also in that directory is the subdirectory, jail.d. The jail.conf file is the main configuration file and jail.d contains the secondary configuration files. Do not edit the jail.conf file. Instead, we’ll create a new configuration that will monitor SSH logins with the command:
sudo vim /etc/fail2ban/jail.local
In this new file add the following contents:
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
This configuration does the following:
Enables the jail.
Sets the SSH port to be monitored to 22.
Uses the sshd filter.
Sets the log file to be monitored.
Save and close that file. Restart fail2ban with the command:
sudo systemctl restart fail2ban