Initial System Setup
Debian / Ubuntu
Fedora / Rocky / RHEL
OpenSUSE MicroOS
Overview
Post installation configuration for a freshly spun Linux server.
Assumptions
- Logged in as root user.
Update
Before getting started, update package repositories and apply upgrades for the latest patches.
# Debian
apt update
apt upgrade
# Fedora
dnf check-update
dnf upgrade
# Microos
transactional-update update && reboot
Sudo Setup
Install Sudo
Sudo is included in many Linux distributions by default. Install if not included.
# Debian
apt install sudo
# Fedora
dnf install sudo
# Microos
transactional-update pkg install sudo && reboot
Check Sudo Group
Many distributions will have a group for the sudo
user already setup. If you are unsure, check the sudoers
file using the visudo
command. Refer to the table below for what to check for.
Distribution | Group | Sudoers |
---|---|---|
Debian | sudo | %sudo ALL=(ALL:ALL) ALL |
Fedora | wheel | %wheel ALL=(ALL:ALL) ALL |
MicroOS | wheel | %wheel ALL=(ALL:ALL) ALL |
Configure Sudo Group
If there is no sudo
group setup already, add one now. Start by creating a system group.
# Debian
groupadd sudo
# Fedora
groupadd wheel
# Microos
groupadd wheel
Modify the sudo configuration using visudo
, the sudoers file is read-only for all other editors.
visudo
Add a new sudoers
definition for the created group, allowing anyone in the group to utilize sudo
with a password.
# Debian
%sudo ALL=(ALL:ALL) ALL
# Fedora
%wheel ALL=(ALL:ALL) ALL
# Microos
%wheel ALL=(ALL:ALL) ALL
Create Admin User
Create a non-root, administrative, sudo
user for everyday use.
Add User
Add a new user on the system, exampleuser
.
useradd -m exampleuser
Modify and define a password for the new user. Enter a strong, generated, password when prompted.
passwd exampleuser
Add Group
Add the newly created user to the sudoers groups for your system, granting them administrative privileges.
# Debian
usermod -aG sudo exampleuser
# Fedora
usermod -aG wheel exampleuser
# Microos
usermod -aG wheel exampleuser
After adding the user to the group, execute a given command with root privileges by prefacing it with sudo
.
Disable Root Login
After verifying the sudo user is capable of executing commands, start a new session as the administrative user and disable the root accounts ability to login to the system.
Open the /etc/passwd
file.
sudo vim /etc/passwd
Find the root user definition, should resemble the following.
root:x:0:0:root:/root:/bin/bash
Replace the /bin/bash
shell with /sbin/nologin
root:x:0:0:root:/root:/sbin/nologin
After reboot, attempts to login as root will be met with the following message.
This account is currently not available.
Secure OpenSSH
Secure the OpenSSH configuration. If setting up OpenSSH for the first time, verify the openssh-server
package is on the system.
# Debian
sudo apt install openssh-server
# Fedora
sudo dnf install openssh-server
# Microos
sudo transactional-update pkg install openssh-server && reboot
OpenSSH Config
Secure the OpenSSH configuration on the system.
Create a new SSHD configuration file with a high weight for custom definitions.
sudo vim /etc/ssh/sshd_config.d/60-operator.conf
Add the following configuration definitions, adjust as needed.
Setting | Value | Description |
---|---|---|
Protocol | 2 | Only allow connections using protocol 2. |
PermitRootLogin | no | Disallow root login via SSH. |
MaxAuthTries | 3 | Maximum login attempts in a single connection. |
ClientAliveInterval | 900 | Interval to query client in seconds. |
ClientAliveCountMax | 0 | Set to 0 to terminate connection after the interval. |
Protocol 2
PermitRootLogin no
MaxAuthTries 3
ClientAliveInterval 900
ClientAliveCountMax 0
Restart the SSH service for changes to take effect.
sudo systemctl restart sshd
Login Banner
The login banner presents a message to users who attempt to connect via SSH. Optionally configure this to present a toothless warning.
Open the /etc/issue.net
file.
sudo vim /etc/issue.net
Configure the login banner text, a disconnect warning for example.
AUTHORIZED ACCESS ONLY
DISCONNECT IMMEDIATLEY
Enable the login banner in the OpenSSH config file.
sudo vim /etc/ssh/sshd_config.d/60-operator.conf
Search for the the text #Banner none
in the file, uncomment the line, and specify the banner file path.
Banner /etc/issue.net
Restart the SSH service for changes to take effect.
sudo systemctl restart sshd
Firewall Setup
Setup a firewall for the system using firewalld
. You should only allow connections on the ports you need for the services your server is serving. Reference common ports on Wikipedia’s port list.
Install Firewall Manager
Install Firewalld for firewall policy management.
# Debian
sudo apt install firewalld
# Fedora
sudo dnf install firewalld
# Microos
sudo transactional-update pkg install firewalld && reboot
Check Connections
Review active firewall rules using the firewall-cmd
command.
sudo firewall-cmd --list-all-zones
sudo firewall-cmd --get-default-zone
sudo firewall-cmd --zone=public --list-all
sudo firewall-cmd --permanent --list-all
Allow Connections
Make modifications as required by system applications.
Firewalld tends to allow SSH service connections by default, verify this before enabling the firewall when connecting remotely.
sudo firewall-cmd --zone=public --add-service=ssh --permanent
Reload firewalld
to apply changes.
sudo firewall-cmd --reload
Enable the Firewall
Enable the firewall to start enforcing the created rules. All incoming connections that aren’t explicitly allowed in the firewall will be denied.
sudo systemctl enable firewalld
sudo systemctl start firewalld
References
Debian. “Debian Documentation.” 2024. ↩︎
Debian. “Unattended Upgrades.” 2023. ↩︎
Osamu Aoki. “Debian Reference.” 2024. ↩︎
OpenSUSE Contributors. “OpenSUSE MicroOS Documentation.” 2024. ↩︎
SUSE LLC. “OpenSUSE MicroOS Wiki.” 2024. ↩︎
SUSE LLC. “Administering SLE Micro using the transactional-update command.” 2024. ↩︎