Initial System Setup
Debian / Ubuntu
Fedora / Rocky / RHEL
OpenSUSE MicroOS
Overview
Post installation configuration for a freshly spun Linux server.
Assumptions
- Logged in as root user.
Update
Before getting started, update package repositories and apply upgrades for the latest patches.
# Debian
apt update
apt upgrade
# Fedora
dnf check-update
dnf upgrade
# Microos
transactional-update update && reboot
Sudo Setup
Setup sudo to restrict root user access on the system.
Install Sudo
Sudo is included in many Linux distributions by default. Install if not included.
# Debian
apt install sudo
# Fedora
dnf install sudo
# Microos
transactional-update pkg install sudo && reboot
Check Sudo Group
Many distributions will have a group for the sudo
user already setup. If you are unsure, check the sudoers
file using the visudo
command. Refer to the table below for what to check for.
Distribution | Group | Sudoers |
---|---|---|
Debian | sudo | %sudo ALL=(ALL:ALL) ALL |
Fedora | wheel | %wheel ALL=(ALL:ALL) ALL |
MicroOS | wheel | %wheel ALL=(ALL:ALL) ALL |
Configure Sudo Group
If there is no sudo
group setup already, add one now. Start by creating a system group.
# Debian
groupadd sudo
# Fedora
groupadd wheel
# Microos
groupadd wheel
Modify the sudo configuration using visudo
, the sudoers file is read-only for all other editors.
# Debian
visudo
# Fedora
visudo
# Microos
transactional-update shell
visudo
exit
reboot
Add a new sudoers
definition for the created group, allowing anyone in the group to utilize sudo
with a password.
# Debian
%sudo ALL=(ALL:ALL) ALL
# Fedora
%wheel ALL=(ALL:ALL) ALL
# Microos
%wheel ALL=(ALL:ALL) ALL
Optionally, disable target user password. This prevents having to type in the root password when using sudo
. Comment out the following lines so the sudo
user enters their password instead of the target user password.
#Defaults targetpw # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
Create Admin User
Create a non-root, administrative, sudo
user for everyday use.
Add User
Add a new user on the system, exampleuser
.
useradd -m exampleuser
Modify and define a password for the new user. Enter a strong, generated, password when prompted.
passwd exampleuser
Add Group
Add the newly created user to the sudoers groups for your system, granting them administrative privileges.
# Debian
usermod -aG sudo exampleuser
# Fedora
usermod -aG wheel exampleuser
# Microos
usermod -aG wheel exampleuser
After adding the user to the group, execute a given command with root privileges by prefacing it with sudo
.
Automated Updates
Setup automated updates to keep the latest security patches.
Unattended Upgrades (Debian)
On Debian based systems, use the unattended-upgrades
package to automatically install security updates.
Install the unattended-upgrades
package.
sudo apt install unattended-upgrades
The package should be enabled by default, verify this with systemd
.
sudo systemctl enable unattended-upgrades
The default unattended upgrades configuration is acceptable, view the file at /etc/apt/apt.conf.d/50unattended-upgrades
.
To modify the unattended upgrades configuration, create a new file with a lower prefix.
sudo nano /etc/apt/apt.conf.d/40-operator-unattended-upgrades
DNF Automatic (Fedora)
On Fedora based systems, use the dnf-automatic
package to automatically install updates.
Install the dnf-automatic
package.
sudo dnf install dnf-automatic
Enable the dnf-automatic
timer for updates to be installed automatically. Alternatively, enable dnf-automatic-notifyonly.timer
to only send notifications when an update is available, or dnf-automatic-download.timer
to only download the updates but not install them.
sudo systemctl enable dnf-automatic.timer
Transactional Update Timer (MicroOS)
On MicroOS systems, verify the transactional-update.timer
is configured to automatically install updates.
sudo systemctl status transactional-update.timer
Check or modify the timer configuration with systemctl
.
sudo systemctl edit transactional-update.timer
The configuration should resemble the following by default. It will be commented out with the default configuration, uncomment any changed lines.
[Timer]
OnCalendar=daily
AccuracySec=1m
RandomizedDelaySec=2h
Persistent=true
Secure OpenSSH
Secure the OpenSSH configuration. If setting up OpenSSH for the first time, verify the openssh-server
package is on the system.
# Debian
sudo apt install openssh-server
# Fedora
sudo dnf install openssh-server
# Microos
sudo transactional-update pkg install openssh-server && sudo reboot
OpenSSH Config
Secure the OpenSSH configuration on the system.
Create a new SSHD configuration file with a high weight for custom definitions.
sudo vim /etc/ssh/sshd_config.d/60-operator.conf
Add the following configuration definitions, adjust as needed.
Setting | Value | Description |
---|---|---|
Protocol | 2 | Only allow connections using protocol 2. |
PermitRootLogin | no | Disallow root login via SSH. |
MaxAuthTries | 3 | Maximum login attempts in a single connection. |
ClientAliveInterval | 900 | Interval to query client in seconds. |
ClientAliveCountMax | 0 | Set to 0 to terminate connection after the interval. |
Protocol 2
PermitRootLogin no
MaxAuthTries 3
ClientAliveInterval 900
ClientAliveCountMax 0
Restart the SSH service for changes to take effect.
sudo systemctl restart sshd
Login Banner
The login banner presents a message to users who attempt to connect via SSH. Optionally configure this to present a toothless warning.
Open the /etc/issue.net
file.
sudo vim /etc/issue.net
Configure the login banner text, a disconnect warning for example.
AUTHORIZED ACCESS ONLY
DISCONNECT IMMEDIATELY
Enable the login banner in the OpenSSH config file.
sudo vim /etc/ssh/sshd_config.d/60-operator.conf
Search for the the text #Banner none
in the file, uncomment the line, and specify the banner file path.
Banner /etc/issue.net
Restart the SSH service for changes to take effect.
sudo systemctl restart sshd
Firewall Setup
Setup a firewall for the system using firewalld
. You should only allow connections on the ports you need for the services your server is serving. Reference common ports on Wikipedia’s port list.
This section will detail making the public
firewall zone active
and default
as well as allowing SSH connections.
Install Firewall Manager
Install Firewalld for firewall policy management.
# Debian
sudo apt install firewalld
# Fedora
sudo dnf install firewalld
# Microos
sudo transactional-update pkg install firewalld && sudo reboot
Enable the Firewall
Enable and start the firewall to configure and enforce firewall rules.
sudo systemctl enable --now firewalld
Allow SSH Connections
Allow SSH connections by adding the ssh
service to the public
zone.
sudo firewall-cmd --permanent --zone=public --add-service=ssh
Alternatively, specify the port manually.
sudo firewall-cmd --permanent --zone=public --add-port=22/tcp
Reload firewalld
to apply changes.
sudo firewall-cmd --reload
Verify Default Zone
Verify the public
zone is the default zone.
sudo firewall-cmd --get-default-zone
The output of --get-default-zone
should be public
. If this is case, no further default zone configuration is required.
public
Reassign Default Zone
If public
is not the default zone, list all active zones to determine which zone is currently active and bound to the network interface. Skip this step if public
is already default.
sudo firewall-cmd --get-active-zones
For example, if the trusted
zone is currently default, the output will resemble the following.
trsuted (default)
interfaces: eth0
Reassign the network interface by removing it from trusted
and assigning it to public
. Verify SSH has already been added to the public
zone if connected via SSH. Replace eth0
with the correct network interface.
sudo firewall-cmd --permanent --zone=trusted --remove-interface=eth0
sudo firewall-cmd --permanent --zone=public --add-interface=eth0
Make public
the default zone after assigning the interface.
sudo firewall-cmd --set-default-zone=public
Reload firewalld
to apply changes.
sudo firewall-cmd --reload
To prevent lockouts, open a new SSH session before closing the current one to verify the firewall is configured correctly.
Review Zones
Review the active firewall zones.
sudo firewall-cmd --get-active-zones
The public
zone should be active, default, and assigned to the proper network interface.
public (default)
interfaces: eth0
View the current public
configuration, verify the allowed services and ports.
sudo firewall-cmd --zone=public --list-all
The output will resemble the following, review the currently allowed services and ports.
public (default)
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
If a service or port is listed that should not be, remove it.
sudo firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
sudo firewall-cmd --permanent --zone=public --remove-port=546/udp
Reload firewalld
to apply changes.
sudo firewall-cmd --reload
Some additional commands to get further details about firewall zones and active configurations. Remove or reassign network interfaces or zones as necessary.
sudo firewall-cmd --list-all-zones
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --get-default-zone
sudo firewall-cmd --zone=public --list-all
sudo firewall-cmd --permanent --list-all
References
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Debian. “Debian Documentation.” 2024. ↩︎
Debian. “Unattended Upgrades.” 2023. ↩︎
Osamu Aoki. “Debian Reference.” 2024. ↩︎
The Fedora Project. “Fedora Documentation.” 2025. ↩︎
The Fedora Project. “Fedora Project Wiki.” 2024. ↩︎
OpenSUSE Contributors. “OpenSUSE MicroOS Documentation.” 2024. ↩︎
SUSE LLC. “OpenSUSE MicroOS Wiki.” 2024. ↩︎
SUSE LLC. “Administering SLE Micro using the transactional-update command.” 2024. ↩︎