Server TODO List

My running list of things to do when setting up a new server.

  • Partition Filesystem
    • RAID/LVM/encryption
    • Document the drive setup and partitions for easier recovery
    • Clone and backup the EFI/boot partitions
    • Update scripts to ensure the EFI mirror is kept up to date
    • Setup process to monitor RAID health/status
    • Setup backup for LVM (snapshot/clone)
  • Configure basic networking
    • SSH Server - install/enable ssh
      • lock down ssh and limit users and attempts
      • enable banner (issue.net, issue and motd)
      • set automatic timeout
        • https://ubuntu-tutorials.com/2009/03/02/automatically-logout-ssh-sessions-after-period-of-inactivity/
    • Firewall - install/enable ufw and set to mostly closed 
      • open ssh port
      • setup limits
      • enable logging
      • disable ipv6
    • Setup two factor authentication
      • setup public key
      • enable in pam
    • libpam-abl
      • prevent brute force attacks
    • libpam-cracklib
      • set strong password requirements
      • simply install in Ubuntu and it will be enabled
      • you can tweak the settings in /etc/pam.d/common-password
    • apt-listchanges
      • view the change log for updates
      • see: http://jxf.me/entries/better-apt-ubuntu/
    • debian-goodies
      • useful debian package tools
      • see: http://www.tecmint.com/use-debian-goodies-utilities-to-manage-debian-packages/
    • debsecan
      • security scan
      • http://www.enyo.de/fw/software/debsecan
    • libpam-tmpdir
    • libpam-usb
    • apt-listbugs (does not exist for xenial)
    • apt-show-versions
    • debsums
    • fail2ban
    • auditd
      • configure audit rules
    • sysstat
    • portsentry
    • intrusion detection (AIDE or Tripwire)
      • https://help.ubuntu.com/community/FileIntegrityAIDE
      • https://www.stephenrlang.com/2016/03/using-aide-for-file-integrity-monitoring-fim-on-ubuntu/
    • set password aging and umask (027) in login.defs &init.d/rc
    • set a grub password
      • http://askubuntu.com/questions/656206/how-to-password-protect-grub-menu
    • session timelout (timeoutd/autolog)
    • lynis
    • Document and setup proper decrypt for drive when using publickey only
    • Document rkhunter setup
      • whitelisting byobu
  • NTP
    • Ensure we have ntpd installed and running
  • Setup byobu (screen) for terminal
    • enable terminal lock and detach
  • use etckeeper
    • Install it:
      • sudo apt-get install etckeeper
    • Commit after installing
      • sudo etckeeper commit "Clean Commit"
    • For each change to /etc, we should commit the change
      • sudo etckeeper commit "IPv6 Disable"
    • To look at all the commits in etckeeper (if using git as vcs)
      • sudo etckeeper vcs log --pretty=oneline
    • To look at the entries from the last commit
      • sudo etckeeper vcs show
Subscribe to: Posts (Atom)