Initial System Setup

Debian / Ubuntu

Fedora / Rocky / RHEL

OpenSUSE MicroOS

Overview

Post installation configuration for a freshly spun Linux server.

Assumptions

• Logged in as root user.

Update

Before getting started, update package repositories and apply upgrades for the latest patches.

# Debian
apt update
apt upgrade

# Fedora
dnf check-update
dnf upgrade

# Microos
transactional-update update && reboot

Sudo Setup

Setup sudo to restrict root user access on the system.

Install Sudo

Sudo is included in many Linux distributions by default. Install if not included.

# Debian
apt install sudo

# Fedora
dnf install sudo

# Microos
transactional-update pkg install sudo && reboot

Check Sudo Group

Many distributions will have a group for the sudo user already setup. If you are unsure, check the sudoers file using the visudo command. Refer to the table below for what to check for.

Configure Sudo Group

If there is no sudo group setup already, add one now. Start by creating a system group.

# Debian
groupadd sudo

# Fedora
groupadd wheel

# Microos
groupadd wheel

Modify the sudo configuration using visudo, the sudoers file is read-only for all other editors.

# Debian
visudo

# Fedora
visudo

# Microos
transactional-update shell
visudo
exit
reboot

Add a new sudoers definition for the created group, allowing anyone in the group to utilize sudo with a password.

# Debian
%sudo ALL=(ALL:ALL) ALL

# Fedora
%wheel ALL=(ALL:ALL) ALL

# Microos
%wheel ALL=(ALL:ALL) ALL

Optionally, disable target user password. This prevents having to type in the root password when using sudo. Comment out the following lines so the sudo user enters their password instead of the target user password.

#Defaults targetpw   # ask for the password of the target user i.e. root
#ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

Create Admin User

Create a non-root, administrative, sudo user for everyday use.

Add User

Add a new user on the system, exampleuser.

useradd -m exampleuser

Modify and define a password for the new user. Enter a strong, generated, password when prompted.

passwd exampleuser

Add Group

Add the newly created user to the sudoers groups for your system, granting them administrative privileges.

# Debian
usermod -aG sudo exampleuser

# Fedora
usermod -aG wheel exampleuser

# Microos
usermod -aG wheel exampleuser

After adding the user to the group, execute a given command with root privileges by prefacing it with sudo.

Automated Updates

Setup automated updates to keep the latest security patches.

Unattended Upgrades (Debian)

On Debian based systems, use the unattended-upgrades package to automatically install security updates.

Install the unattended-upgrades package.

sudo apt install unattended-upgrades

The package should be enabled by default, verify this with systemd.

sudo systemctl enable unattended-upgrades

The default unattended upgrades configuration is acceptable, view the file at /etc/apt/apt.conf.d/50unattended-upgrades.

To modify the unattended upgrades configuration, create a new file with a lower prefix.

sudo nano /etc/apt/apt.conf.d/40-operator-unattended-upgrades

DNF Automatic (Fedora)

On Fedora based systems, use the dnf-automatic package to automatically install updates.

Install the dnf-automatic package.

sudo dnf install dnf-automatic

Enable the dnf-automatic timer for updates to be installed automatically. Alternatively, enable dnf-automatic-notifyonly.timer to only send notifications when an update is available, or dnf-automatic-download.timer to only download the updates but not install them.

sudo systemctl enable dnf-automatic.timer

Transactional Update Timer (MicroOS)

On MicroOS systems, verify the transactional-update.timer is configured to automatically install updates.

sudo systemctl status transactional-update.timer

Check or modify the timer configuration with systemctl.

sudo systemctl edit transactional-update.timer

The configuration should resemble the following by default. It will be commented out with the default configuration, uncomment any changed lines.

[Timer]
OnCalendar=daily
AccuracySec=1m
RandomizedDelaySec=2h
Persistent=true

Secure OpenSSH

Secure the OpenSSH configuration. If setting up OpenSSH for the first time, verify the openssh-server package is on the system.

# Debian
sudo apt install openssh-server

# Fedora
sudo dnf install openssh-server

# Microos
sudo transactional-update pkg install openssh-server && sudo reboot

OpenSSH Config

Secure the OpenSSH configuration on the system.

Create a new SSHD configuration file with a high weight for custom definitions.

sudo vim /etc/ssh/sshd_config.d/60-operator.conf

Add the following configuration definitions, adjust as needed.

Protocol 2
PermitRootLogin no
MaxAuthTries 3
ClientAliveInterval 900
ClientAliveCountMax 0

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd

Login Banner

The login banner presents a message to users who attempt to connect via SSH. Optionally configure this to present a toothless warning.

Open the /etc/issue.net file.

sudo vim /etc/issue.net

Configure the login banner text, a disconnect warning for example.

AUTHORIZED ACCESS ONLY
DISCONNECT IMMEDIATELY

Enable the login banner in the OpenSSH config file.

sudo vim /etc/ssh/sshd_config.d/60-operator.conf

Search for the the text #Banner none in the file, uncomment the line, and specify the banner file path.

Banner /etc/issue.net

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd

Firewall Setup

Setup a firewall for the system using firewalld. You should only allow connections on the ports you need for the services your server is serving. Reference common ports on Wikipedia’s port list.

This section will detail making the public firewall zone active and default as well as allowing SSH connections.

Install Firewall Manager

Install Firewalld for firewall policy management.

# Debian
sudo apt install firewalld

# Fedora
sudo dnf install firewalld

# Microos
sudo transactional-update pkg install firewalld && sudo reboot

Enable the Firewall

Enable and start the firewall to configure and enforce firewall rules.

sudo systemctl enable --now firewalld

Allow SSH Connections

Allow SSH connections by adding the ssh service to the public zone.

sudo firewall-cmd --permanent --zone=public --add-service=ssh

Alternatively, specify the port manually.

sudo firewall-cmd --permanent --zone=public --add-port=22/tcp

Reload firewalld to apply changes.

sudo firewall-cmd --reload

Verify Default Zone

Verify the public zone is the default zone.

sudo firewall-cmd --get-default-zone

The output of --get-default-zone should be public. If this is case, no further default zone configuration is required.

public

Reassign Default Zone

If public is not the default zone, list all active zones to determine which zone is currently active and bound to the network interface. Skip this step if public is already default.

sudo firewall-cmd --get-active-zones

For example, if the trusted zone is currently default, the output will resemble the following.

trsuted (default)
  interfaces: eth0

Reassign the network interface by removing it from trusted and assigning it to public. Verify SSH has already been added to the public zone if connected via SSH. Replace eth0 with the correct network interface.

sudo firewall-cmd --permanent --zone=trusted --remove-interface=eth0
sudo firewall-cmd --permanent --zone=public --add-interface=eth0

Make public the default zone after assigning the interface.

sudo firewall-cmd --set-default-zone=public

Reload firewalld to apply changes.

sudo firewall-cmd --reload

To prevent lockouts, open a new SSH session before closing the current one to verify the firewall is configured correctly.

Review Zones

Review the active firewall zones.

sudo firewall-cmd --get-active-zones

The public zone should be active, default, and assigned to the proper network interface.

public (default)
  interfaces: eth0

View the current public configuration, verify the allowed services and ports.

sudo firewall-cmd --zone=public --list-all

The output will resemble the following, review the currently allowed services and ports.

public (default)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

If a service or port is listed that should not be, remove it.

sudo firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client

sudo firewall-cmd --permanent --zone=public --remove-port=546/udp

Reload firewalld to apply changes.

sudo firewall-cmd --reload

Some additional commands to get further details about firewall zones and active configurations. Remove or reassign network interfaces or zones as necessary.

sudo firewall-cmd --list-all-zones
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --get-default-zone
sudo firewall-cmd --zone=public --list-all
sudo firewall-cmd --permanent --list-all

References

^{1 2 3 4 5 6 7 8 9 10 11 12 13 14}