Matt Faulkner

Professional Goober

Secure Your Linux Box

Howdy Everyone! Today I am going to walk you through setting up a baseline, production ready, Linux machine. I am going to make the assumption that you know how to create and use ssh-keys, you already have the linux box provisioned, and that it has a public facing IPv4 address. You’ll also notice that I won’t guide you through setting up uncomplicated firewall. Since that is very workload dependant, I cannot offer a baseline configuration besides the defaults. I also don’t cover NewRelic in detail. It will get its very own post.

Linux OS Basic Setup

The very first thing you will want to do within any installation; is an immediate update and upgrade of the local packages using your package manager.

sudo apt update -y && sudo apt upgrade -y

Once you have all the latest packages and security updates installed, go ahead and run the interactive configuration tool for unattended-upgrades. I’ve come across both “Yes” and “No” as a default. So I am of the opinion it is best practice to trust but verify. The purpose of this is to automatically install the latest stable security patches.

sudo dpkg-reconfigure unattended-upgrades

Now go ahead and set the timezone on your machine. This might seem silly but its important. Logs will be written with the timestamp from timedatectl. Using your local timezone will ensure your logging is more friendly for human consumption during times of troubleshooting.

timedatectl
sudo timedatectl set-timezone America/Denver
timedatectl

Now you should tell hostnamectl the machines canonical name. Sometimes referred to as a subject alternative name.

hostnamectl
sudo hostnamectl set-hostname host.domain.tld
hostnamectl

After configuring hostnamectl, you’ll want to append your desired hostname to a few values in the /etc/hosts file. Failure to do so can result in SSL/TLS errors depending on your workload and technology stack. Here is an example below.

127.0.0.1   localhost
127.0.1.1   localhost   host.domain.tld domain.tld
4.6.8.12    host.domain.tld domain.tld

Now you’ll want to create a limited sudo user account. This will be the account you will login via ssh with moving forward after the first reboot.

sudo useradd -m -G sudo -s /bin/bash mynewuseraccount

I’ll break down the command. -m creates the user home directory. -G sudo adds the user to the sudo group. -s /bin/bash sets the new users default shell to /bin/bash. The new default shell is zsh. I don’t find it SysAdmin friendly. Once you have the user created. Go ahead and run sudo passwd mynewuseraccount to configure a password.

Secure sshd_config

To properly secure SSH access, you’ll need to make adjustments to the configuration file for the ssh daemon. You can find it located in /etc/ssh/sshd_config. The following lines should be present in your config file. If not, you can simply append these at the bottom of the file.

PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no

Install Security Packages

Now lets install and enable both Fail2Ban and the Crowdsec Security Engine. Once this is completed, please consider installing any applicable Crowdsec Bouncers and Collections to further protect your machine and underlying applications from cyber attacks.

curl -s https://install.crowdsec.net | sudo sh
sudo apt install fail2ban crowdsec -y
sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
sudo systemctl status fail2ban.service
sudo systemctl start fail2ban.service
sudo systemctl status fail2ban.service

Logging, Monitoring, and Alerting

Now its important to get a baseline for logging, monitoring, and alerting. We will want all three in place for a production system. There are two big Observability platforms. NewRelic and DataDog. The NewRelic free plans allows for 100GB/Month of data ingest with no host limit. DataDog free plan allows for 5 monitored hosts with no limit on data ingest. I have chosen to use NewRelic. Going into this section its also important to layout alerts should be actionable. You never want an alert that can be ignored. That will lead to alert fatigue and is an important human aspect to manage.

The NewRelic agent ingests our system logs and system data. This allows us to visualize log types and trends in total logging. This is a great method for spotting changes in the system over time. It also allows us to generate webhook, pagerduty, and other types of alerts based on pre-defined “Golden Metrics” or fully custom NRQL queries.

Minor Customizations

Consider implementing a custom motd file such as this one below. This is to make the systems easily identifiable when connecting to them remotely.

##################################################
WARNING: This is a company computer system with access restricted to
those with proper authorization. Any unauthorized access attempt
will be investigated and prosecuted to the full extent of the law.
If you are not an authorized user, disconnect now.

<System Role> - <Hardware/VM Type>
##################################################

2025

Back to top ↑

2024

Javascript Cat!

how-to add oneko.js to the minimal-mistakes jekyll template.

Back to top ↑

2023

Ditching WordPress

Method of Procedure for migrating from WordPress to plain HTML.

Mom Said Redefine Success

In High School I had one dream that stands out. Own a Porsche by the time I was 26. Looking back, I have no idea where this dream came from; because I was ra...

Back to top ↑

2022

Back to top ↑

2021

Back to top ↑