Initial System Setup

Last Edit: 2024.12.20

Debian / Ubuntu

Fedora / Rocky / RHEL

OpenSUSE MicroOS

Overview

Post installation configuration for a freshly spun Linux server.

Assumptions

  • Logged in as root user.

Update

Before getting started, update package repositories and apply upgrades for the latest patches.

# Debian
apt update
apt upgrade
# Fedora
dnf check-update
dnf upgrade
# Microos
transactional-update update && reboot

Sudo Setup

Sudo1 2 3

Install Sudo

Sudo is included in many Linux distributions by default. Install if not included.

# Debian
apt install sudo
# Fedora
dnf install sudo
# Microos
transactional-update pkg install sudo && reboot

Check Sudo Group

Many distributions will have a group for the sudo user already setup. If you are unsure, check the sudoers file using the visudo command. Refer to the table below for what to check for.

DistributionGroupSudoers
Debiansudo%sudo ALL=(ALL:ALL) ALL
Fedorawheel%wheel ALL=(ALL:ALL) ALL
MicroOSwheel%wheel ALL=(ALL:ALL) ALL

Configure Sudo Group

If there is no sudo group setup already, add one now. Start by creating a system group.

# Debian
groupadd sudo
# Fedora
groupadd wheel
# Microos
groupadd wheel

Modify the sudo configuration using visudo, the sudoers file is read-only for all other editors.

visudo

Add a new sudoers definition for the created group, allowing anyone in the group to utilize sudo with a password.

# Debian
%sudo ALL=(ALL:ALL) ALL
# Fedora
%wheel ALL=(ALL:ALL) ALL
# Microos
%wheel ALL=(ALL:ALL) ALL

Create Admin User

Create a non-root, administrative, sudo user for everyday use.

Add User

Add a new user on the system, exampleuser.

useradd -m exampleuser

Modify and define a password for the new user. Enter a strong, generated, password when prompted.

passwd exampleuser

Add Group

Add the newly created user to the sudoers groups for your system, granting them administrative privileges.

# Debian
usermod -aG sudo exampleuser
# Fedora
usermod -aG wheel exampleuser
# Microos
usermod -aG wheel exampleuser

After adding the user to the group, execute a given command with root privileges by prefacing it with sudo.

Disable Root Login

After verifying the sudo user is capable of executing commands, start a new session as the administrative user and disable the root accounts ability to login to the system.

Open the /etc/passwd file.

sudo vim /etc/passwd

Find the root user definition, should resemble the following.

root:x:0:0:root:/root:/bin/bash

Replace the /bin/bash shell with /sbin/nologin

root:x:0:0:root:/root:/sbin/nologin

After reboot, attempts to login as root will be met with the following message.

This account is currently not available.

Unattended Upgrades

Setup unattended upgrades to automatically install security updates.

Install the unattended-upgrades package.

sudo apt install unattended-upgrades

The package should be enabled by default, verify this with systemd.

sudo systemctl enable unattended-upgrades

The default unattended upgrades configuration is acceptable, view the file at /etc/apt/apt.conf.d/50unattended-upgrades.

To modify the unattended upgrades configuration, create a new file with a lower prefix.

sudo nano /etc/apt/apt.conf.d/40-operator-unattended-upgrades

Secure OpenSSH

Secure the OpenSSH configuration. If setting up OpenSSH for the first time, verify the openssh-server package is on the system.

# Debian
sudo apt install openssh-server
# Fedora
sudo dnf install openssh-server
# Microos
sudo transactional-update pkg install openssh-server && reboot

OpenSSH Config

Secure the OpenSSH configuration on the system.

Create a new SSHD configuration file with a high weight for custom definitions.

sudo vim /etc/ssh/sshd_config.d/60-operator.conf

Add the following configuration definitions, adjust as needed.

SettingValueDescription
Protocol2Only allow connections using protocol 2.
PermitRootLoginnoDisallow root login via SSH.
MaxAuthTries3Maximum login attempts in a single connection.
ClientAliveInterval900Interval to query client in seconds.
ClientAliveCountMax0Set to 0 to terminate connection after the interval.
Protocol 2
PermitRootLogin no
MaxAuthTries 3
ClientAliveInterval 900
ClientAliveCountMax 0

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd

Login Banner

The login banner presents a message to users who attempt to connect via SSH. Optionally configure this to present a toothless warning.

Open the /etc/issue.net file.

sudo vim /etc/issue.net

Configure the login banner text, a disconnect warning for example.

AUTHORIZED ACCESS ONLY
DISCONNECT IMMEDIATELY

Enable the login banner in the OpenSSH config file.

sudo vim /etc/ssh/sshd_config.d/60-operator.conf

Search for the the text #Banner none in the file, uncomment the line, and specify the banner file path.

Banner /etc/issue.net

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd

Firewall Setup

Setup a firewall for the system using firewalld. You should only allow connections on the ports you need for the services your server is serving. Reference common ports on Wikipedia’s port list.

Install Firewall Manager

Install Firewalld for firewall policy management.

# Debian
sudo apt install firewalld
# Fedora
sudo dnf install firewalld
# Microos
sudo transactional-update pkg install firewalld && reboot

Check Connections

Review active firewall rules using the firewall-cmd command.

sudo firewall-cmd --list-all-zones
sudo firewall-cmd --get-default-zone
sudo firewall-cmd --zone=public --list-all
sudo firewall-cmd --permanent --list-all

Allow Connections

Make modifications as required by system applications.

Firewalld tends to allow SSH service connections by default, verify this before enabling the firewall when connecting remotely.

sudo firewall-cmd --zone=public --add-service=ssh --permanent

Reload firewalld to apply changes.

sudo firewall-cmd --reload

Enable the Firewall

Enable the firewall to start enforcing the created rules. All incoming connections that aren’t explicitly allowed in the firewall will be denied.

sudo systemctl enable firewalld
sudo systemctl start firewalld

References

1 2 3 4 5 6 7 8 9


  1. Debian. “Sudo.” 2024. ↩︎ ↩︎

  2. Fedora. “Sudo.” 2024. ↩︎ ↩︎

  3. MicroOS. “Sudo.” 2024. ↩︎ ↩︎

  4. Debian. “Debian Documentation.” 2024. ↩︎

  5. Debian. “Unattended Upgrades.” 2023. ↩︎

  6. Osamu Aoki. “Debian Reference.” 2024. ↩︎

  7. OpenSUSE Contributors. “OpenSUSE MicroOS Documentation.” 2024. ↩︎

  8. SUSE LLC. “OpenSUSE MicroOS Wiki.” 2024. ↩︎

  9. SUSE LLC. “Administering SLE Micro using the transactional-update command.” 2024. ↩︎