Brett Hoerner's blog
Kickstarting a better Ubuntu server environment
written on Monday, October 27, 2008
I decided to clean up and post my notes on how I setup my Ubuntu server environment (I happen to use Slicehost, but it shouldn't matter).
I began with an "empty" Ubuntu 8.04 machine and the root password, at the end I have:
- Disabled root login via ssh
- Created your own user who can login via ssh public-key authentication
- Updated your system with the latest Ubuntu packages
- Installed various packages that most people expect on a Linux server
- Setup simple mail forwarding (I forward bretthoerner.com to my Gmail account)
This assumes you already have a domain pointed at your server and that you have ssh keys stored locally in ~/.ssh.
Initial login
# Use your root password when prompted
(local)$ ssh root@DOMAIN
Replace /bin/sh symlink with a more fully featured shell
$ ln -sf /bin/bash /bin/sh
Create your user
# Add USER (using bash, with a home, in groups USER, users, and sudo)
$ useradd -G users,sudo -m -c "FULL NAME" -s /bin/bash USER
# Configure sudo to be password-less for users in group sudo
$ visudo
# Uncomment %sudo ALL=NOPASSWD: ALL
Setup ssh public-key login
# Login as user
$ su - USER
# Configure `ssh` public key login
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ vim ~/.ssh/authorized_keys
# Paste in your public key (from local ~/.ssh/id_[rd]sa.pub)
# Exit out of user
$ exit
# Exit out of root
$ exit
# Test login from your local machine
(local)$ ssh USER@DOMAIN # should work without a password
Disable root login
# Test sudo from your user before you disable root login
$ sudo whoami # should print 'root'
# Disable root ssh and password-based logins
$ sudo vim /etc/ssh/sshd_config
# Change "PermitRootLogin yes" to "PermitRootLogin no"
# Change "#PasswordAuthentication yes" to "PasswordAuthentication no"
# Reload the ssh config
$ sudo /etc/init.d/ssh reload
# Remove root's password
$ sudo passwd -d root
Update the local package repository and packages on your system
$ sudo apt-get update
$ sudo apt-get dist-upgrade -y
Install packages you'd expect to have on Linux
# Favorite editor and shell niceness
$ sudo apt-get install -y bash-completion command-not-found \
emacs-snapshot-nox exuberant-ctags vim-nox
# Postfix
$ sudo apt-get install -y postfix procmail
# Just hit enter through the setup for now
# Linux basics
$ sudo apt-get install -y dnsutils file info logrotate lsof \
mailx mlocate openssl rsync screen unzip
# Developer basics
$ sudo apt-get install -y autoconf build-essential cdecl colordiff \
git-core git-svn libtool make patch subversion
Re-configure Postfix
$ sudo dpkg-reconfigure postfix
- General Type: Internet Site
- System mail name: DOMAIN
- Root receipt: USER
- Destinations: localhost
- Force synchronous updates: no
- Local networks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
- Use procmail for local delivery: yes
- Mailbox size limit: 0
- Local address extension character: +
- Internet protocols to use: all
Edit the Postfix config
$ sudo vim /etc/postfix/main.cf
# Add the following
virtual_alias_domains = DOMAIN
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
Create virtual users and aliases that forward to you
$ sudo vim /etc/postfix/virtual
# Add one USER@VIRTUAL_DOMAIN EMAIL_TO_FORWARD_TO per line, e.g.:
user@example.com user@gmail.com
$ sudo postmap /etc/postfix/virtual
$ sudo vim /etc/aliases
# Append the following line so that root mail goes to USER@DOMAIN
root: USER
$ sudo newaliases
# Restart postfix for changes to take effect
$ sudo /etc/init.d/postfix restart
That's it. I'll follow this up with more information on how I setup Apache, mod_wsgi, Django, nginx, etc.