/ DevOps

Server Foundation for Ubuntu LTS

This is a guide roughly outlining how I would manually setup and configure a server after the first boot up. I tend to go with Ubuntu 12.04 LTS since it will be supported longer than the current version (12.10) of Ubuntu.

On first boot

On the first login via SSH, change the password of the root user.

passwd

If mounting a separate disk/image as /home, edit /etc/fstab and add the home partition.

/dev/xvdc  /home  ext3  defaults  0  0

Note: the disk might have a different file system name depending on host.

Then mount the disk.

mount -a

Set the time zone.

dpkg-reconfigure tzdata

User

Set up a new user to handle server administration, so the root user does not need to be used.

adduser deploy
usermod -a -G sudo deploy

Setup a public/private key pair on the server. This key could be used for checking out code from Github or connecting to other servers.

su deploy
cd
ssh-keygen -t rsa -b 2048

On a local machine, a public/private key pair should also be setup (if not already).

ssh-keygen -t rsa -b 2048

And upload the public key to the server for logging in without a password.

scp ~/.ssh/id_rsa.pub deploy@example.com:

Add the contents of the public key (id_rsa.pub) to the deploy user’s authorized_keys file and limit the permissions on the file.

cat id_rsa.pub >> ~/.ssh/authorized_keys
chmod 400 ~/.ssh/authorized_keys

Note: multiple public keys can be added to the file, one per line.

Change the following options in /etc/ssh/sshd_config.

PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
UseDNS no

Software

The apt-get sources list can have a lot of entries. Sometimes it is setup to have other repos like “multiverse” and “restricted”, or includes deb-src entries. I tend to clean up /etc/apt/sources.list file and replace content with the following:

deb http://archive.ubuntu.com/ubuntu precise main universe
deb http://archive.ubuntu.com/ubuntu precise-updates main universe
deb http://security.ubuntu.com/ubuntu precise-security main universe

I think this makes it much easier to understand where apt-get is looking. After the file is changed, run the update and upgrade commands.

apt-get update && apt-get upgrade

I also remove whoopsie if it’s installed, but it can be left installed without issues. Whoopsie is an error tracking and reporting daemon that reports cashes to Canonical. The results it collects can be found on the Ubuntu Error Tracker.

apt-get --purge remove whoopsie

Install fail2ban. It’s a daemon that monitors login attempts and blocks suspicious ones, and it’s configured well out of the box.

apt-get install fail2ban

Networking

Unless using DHCP is okay, edit /etc/network/interfaces and set eth0 to static and add the parameters needed.

iface eth0 inet static
  address
  netmask
  gateway
  dns-domain
  dns-search
  dns-nameservers

Note: multiple dns-nameservers values can be added by separating them with a space.

Firewall

Setting up iptables can be a bit verbose mess, but using ufw (uncomplicated firewall) makes dealing with open ports much easier. ufw can get in the way a bit if more more control is needed, but in most cases, it’s “good enough.”

Install ufw and allow port 22 (ssh). Also, 80 (http), and 443 (https) if this will be a web server. Finally, enable the firewall.

apt-get install ufw
ufw allow 22
ufw allow 80
ufw allow 443
ufw enable

Finishing up

A restart for good measure.

shutdown -r now

When the server restarts, it should serve as a good foundation setting up any production stack. If by chance something went wrong and an SSH connection cannot be established, most VPS host have a console that can still access the machine.

If a lot of servers are going to need provisioning, look in to Chef. Chef is open source and can automate server setups and deployments. PeepCode has some great screencasts covering getting Chef up and running. Another option is Puppet.

Update: Also, be sure to checkout out Ansible for automated provisioning. I personally find it easier to use than Chef Solo.