Goobs Slush Motorsports Festival Coverage
Secure Your Linux Box
Howdy Everyone! Today I am going to walk you through setting up a baseline, production ready, Linux machine. I am going to make the assumption that you know how to create and use ssh-keys, you already have the linux box provisioned, and that it has a public facing IPv4 address. You’ll also notice that I won’t guide you through setting up uncomplicated firewall. Since that is very workload dependant, I cannot offer a baseline configuration besides the defaults. I also don’t cover NewRelic in detail. It will get its very own post.
Linux OS Basic Setup
The very first thing you will want to do within any installation; is an immediate update and upgrade of the local packages using your package manager.
sudo apt update -y && sudo apt upgrade -y
Once you have all the latest packages and security updates installed, go ahead and run the interactive configuration tool for unattended-upgrades. I’ve come across both “Yes” and “No” as a default. So I am of the opinion it is best practice to trust but verify. The purpose of this is to automatically install the latest stable security patches.
sudo dpkg-reconfigure unattended-upgrades
Now go ahead and set the timezone on your machine. This might seem silly but its important. Logs will be written with the timestamp from timedatectl. Using your local timezone will ensure your logging is more friendly for human consumption during times of troubleshooting.
timedatectl
sudo timedatectl set-timezone America/Denver
timedatectl
Now you should tell hostnamectl the machines canonical name. Sometimes referred to as a subject alternative name.
hostnamectl
sudo hostnamectl set-hostname host.domain.tld
hostnamectl
After configuring hostnamectl, you’ll want to append your desired hostname to a few values in the /etc/hosts
file. Failure to do so can result in SSL/TLS errors depending on your workload and technology stack. Here is an example below.
127.0.0.1 localhost
127.0.1.1 localhost host.domain.tld domain.tld
4.6.8.12 host.domain.tld domain.tld
Now you’ll want to create a limited sudo user account. This will be the account you will login via ssh with moving forward after the first reboot.
sudo useradd -m -G sudo -s /bin/bash mynewuseraccount
I’ll break down the command. -m
creates the user home directory. -G sudo
adds the user to the sudo group. -s /bin/bash
sets the new users default shell to /bin/bash. The new default shell is zsh. I don’t find it SysAdmin friendly. Once you have the user created. Go ahead and run sudo passwd mynewuseraccount
to configure a password.
Secure sshd_config
To properly secure SSH access, you’ll need to make adjustments to the configuration file for the ssh daemon. You can find it located in /etc/ssh/sshd_config
.
The following lines should be present in your config file. If not, you can simply append these at the bottom of the file.
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
Install Security Packages
Now lets install and enable both Fail2Ban and the Crowdsec Security Engine. Once this is completed, please consider installing any applicable Crowdsec Bouncers and Collections to further protect your machine and underlying applications from cyber attacks.
curl -s https://install.crowdsec.net | sudo sh
sudo apt install fail2ban crowdsec -y
sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
sudo systemctl status fail2ban.service
sudo systemctl start fail2ban.service
sudo systemctl status fail2ban.service
Logging, Monitoring, and Alerting
Now its important to get a baseline for logging, monitoring, and alerting. We will want all three in place for a production system. There are two big Observability platforms. NewRelic and DataDog. The NewRelic free plans allows for 100GB/Month of data ingest with no host limit. DataDog free plan allows for 5 monitored hosts with no limit on data ingest. I have chosen to use NewRelic. Going into this section its also important to layout alerts should be actionable. You never want an alert that can be ignored. That will lead to alert fatigue and is an important human aspect to manage.
The NewRelic agent ingests our system logs and system data. This allows us to visualize log types and trends in total logging. This is a great method for spotting changes in the system over time. It also allows us to generate webhook, pagerduty, and other types of alerts based on pre-defined “Golden Metrics” or fully custom NRQL queries.
Minor Customizations
Consider implementing a custom motd file such as this one below. This is to make the systems easily identifiable when connecting to them remotely.
##################################################
WARNING: This is a company computer system with access restricted to
those with proper authorization. Any unauthorized access attempt
will be investigated and prosecuted to the full extent of the law.
If you are not an authorized user, disconnect now.
<System Role> - <Hardware/VM Type>
##################################################
2025
I Created GoobyDesk
Reflecting on my open-source project GoobyDesk.
Images from the Greece DLC
Screenshots from exploring Greece, In the southern Balkan Peninsula.
Importing a custom Minecraft Bedrock world into Realms.
How-To Import a custom world into Singleplayer, then Realms using Minecraft Bedrock Edition.
My Brother Alex
Remebering Alex
2024
Alondra and Aaliyah Obituary
Remebering Alondra and Aaliyah
Guide to ADS-B
Matt’s Guide to ADS-B and PiAware.
Around The Sun 2024
I had something to say, until I didn’t.
Guide to FRS Radio
Matt’s Guide to FRS and GRMS Radio.
Guide to CB Radio - 11 Meter
Matt’s Guide to CB Radio
Secure Your Linux Box
Matt’s Guide to Securing a Linux Box for Production.
Deploying NextCloud AIO at Home
My Experience deploying the NextCloud AIO Docker Image at Home.
My Website Architecture
Quick overview of my websites architecture.
Exploring Glacier National Park
One Night in Glacier NP - 2024
Images from the Nebraska DLC
Exploring and capturing the scenery in American Truck Simulator, Nebraska DLC
Sail High Seas Safely!
how-to be safe while downloading linux isos.
Jackson-Faulkner Family Trip 2024
Exploring South Dakota with the Jacksons.
Serving Up WebP instead of PNG
How I reduced my home page 610 percent.
Javascript Cat!
how-to add oneko.js to the minimal-mistakes jekyll template.
Growing Cannabis Notes
My personal running notes for growing cannabis.
SMB Mount Errors found in dmesg
Dealing with CIFS errors between TrueNAS and Debian.
Bounce a Juniper Switchport
how-to bounce a Juniper JunOS switchport.
Fixing apt error, ‘list of sources could not be read’
how-to fix ‘the list of sources could not be read.’ when using apt.
Basic Network Troubleshooting
how-to troubleshoot a home network, by a Network Engineer.
Moving to Caddy
Moving my webserver from OpenLiteSpeed to Caddy
Could Not Resolve Error in apt
how-to resolve, could not resolve packages.adoptium.net
Responding to XZ-Utils Vulnerability
how-to validate XZ-Utils impact.
Ninite is Awesome
How and Why I use Ninite
Certbot Renewal on OpenLiteSpeed
Manually renewing Certbot on OpenLiteSpeed
YABS Results
Yet Another Benchmark Results
Basic Linux Administration
Linux Basics and Core Concepts by Matt F.
How to Setup and Manage a Web Domain
how-to Buy and Manage a Web Domain
Learn Linux in 5 Days
My Udemy Course Completion Certification.
2013 Scion FRS Service Manual
Scion FRS Service Manual Download and Sources
My Discord Server
My Discord Server Widget
Migrating to BunnyCDN
How I moved from QUIC.Cloud to BunnyNet CDN.
2023
99.99% Uptime Goal for 2024
My High Uptime Plan for 2024.
Magic The Gathering Notes
Personal notes for Magic the Gathering
HTML Hobbiest Webring
HTML Hobbiest Webring Landing Page/Post
Ditching WordPress
Method of Procedure for migrating from WordPress to plain HTML.
W900 Tuning Pack
W900 Tuning Pack DLC Review.
Goodbye Google Domains
Google Domains is Ending.
Experience OpenLiteSpeed
Deep dive into OpenLiteSpeed webserver.
Struggles with Jekyll and Cloudflare Pages
how-to resolve my Jekyll/Cloudflare Pages deployment error.
Mom Said Redefine Success
In High School I had one dream that stands out. Own a Porsche by the time I was 26. Looking back, I have no idea where this dream came from; because I was ra...
Cow Town Hoe Down - 2023
Personal ramblings about my new town.
Knowledge Sharing
Knowledge Filled PDF Bundle
Jellyfin Guide for Friends and Family
how-to Jellyfun.
My ProtonMail Review
ProtonMail Review - 1 Year
2022
Managing Pi-Hole - A Guide for Beginners in 2022
how-to manage Pi-Hole.
Matt’s Desktop Build in 2022
My new Gaming PC. Its boring but it’ll do.
Ad-Blocking on the Go using Pi-Hole and Pi-VPN in the Cloud
how-to setup Pi-Hole and Wireguard on Linode.
How To Change The Hostname of a Raspberry Pi
how-to update the hostname of a Raspberry Pi.
2021
Using A Raspberry Pi Zero To Host a VPN Server
Can a Raspberry Pi Zero host a family VPN Server? Yes.
Logitech G413 Carbon - Keyboard Review
Logitech G413 Keyboard review.
Razer Huntsman Mini - My First Keyboard Review
Razer Huntsman Mini review.
Weekend with the Bois - June 2021 Video
YouTube video cruising through Colorado!
PiAware - One Month of Ownership
Ramblings about PiAware after one month of operation.
Setup a Headless Raspberry Pi - For Beginners
Guide to setup a Raspberry Pi from start to finish!
Setting the Timezone on your Raspberry Pi 4
Guide to configuring the Timezone on a Raspberry Pi.