Ubuntu Server is my server of choice as of 2012 because of its support (5 years), relatively recent (the 12.04 as of writing of this page), completely free, based on Debian, etc. Not really anymore but I still have vm running it. It has got quite a bit of annoyances (at least for me).
Removing useless packages
apt-get purge byobu libapparmor1 bash-completion command-not-found libapparmor-perl screen command-not-found-data apparmor apparmor-utils whoopsie
- I’m not a fan of
byobu
/screen
- I find
bash-completion
to be awesomely annoying command-not-found
slows thing outapparmor
can go to hellwhoopsie
reports thing to Canonical. Funny
Disabling apparmor
lxc
pulls in apparmor
again. Disabling it while keeping it installed can be done by editing /etc/default/grub
and adding apparmor=0
to GRUB_CMDLINE_LINUX
. Don’t forget to run update-grub
.
Basic sources.list
###### Ubuntu Main Repos deb http://us.archive.ubuntu.com/ubuntu/ precise main restricted universe multiverse #deb-src http://us.archive.ubuntu.com/ubuntu/ precise main restricted universe multiverse ###### Ubuntu Security Update Repos deb http://security.ubuntu.com/ubuntu/ precise-security main restricted universe multiverse #deb-src http://security.ubuntu.com/ubuntu/ precise-security main restricted universe multiverse ###### Ubuntu General Update Repos deb http://us.archive.ubuntu.com/ubuntu/ precise-updates main restricted universe multiverse #deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates main restricted universe multiverse ###### Ubuntu Backport Repos deb http://us.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse #deb-src http://us.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
Standard stuff. The one above is for 12.04.
Multi-round password hashing
Append rounds=5000
to this line in /usr/share/pam-configs/unix
:
[success=end default=ignore] pam_unix.so obscure sha512
It should then looks like this:
[success=end default=ignore] pam_unix.so obscure sha512 rounds=5000
Followed by running pam-auth-update.
And then (optionally) uncomment SHA_CRYPT_MIN_ROUNDS
in /etc/login.defs
.
Don’t forget to rerun passwd
for all users.
Set root password
sudo passwd root
Not setting root password will allow people with physical access to boot into single user mode and gain root access without password. It’s not like hacking into a server which attacker has physical access is hard but at least he’ll be forced to bring (and boot) his own bootable media.
noatime
mount
The only use case for atime is (as far as I know) for mailbox but even that one isn’t really problematic anymore nowadays. Open up /etc/fstab
, add noatime
mount option to all on-disk filesystems.
Disable vesa boot
Mainly for virtualized environment since I don’t usually look at its console screen.
First, the grub. Open /etc/default/grub
, uncomment the following line:
GRUB_TERMINAL=console
Update grub.cfg
by running update-grub
.
And then the console itself. Comment the following lines in /etc/default/console-setup:
FONTFACE="Fixed" FONTSIZE="16"
And then uncomment blacklist vesafb
in /etc/modprobe.d/blacklist-framebuffer.conf
.
Disable terminal 2-6
Mostly for low-end VM which need all the RAMs it can have.
for i in 2 3 4 5 6; do echo "manual" > "/etc/init/tty${i}.override"; done
Disable rDNS for sshd
There isn’t much use doing rDNS lookup for sshd and it causes slow down when connecting.
Disable it with:
echo 'UseDNS no' >> /etc/ssh/sshd_config service ssh reload
Disable known_hosts hashing
It makes reading known_hosts almost impossible since the host names are hashed instead of using plain text. Unless you plan on connecting to weirdly named servers, it’s better to disable it so the file can be easily read.
Comment this line in /etc/ssh/ssh_config
:
HashKnownHosts yes
So it looks like this:
# HashKnownHosts yes