{"id":512,"date":"2021-11-02T20:41:36","date_gmt":"2021-11-02T20:41:36","guid":{"rendered":"https:\/\/andrejacobs.org\/?p=512"},"modified":"2022-04-11T20:22:59","modified_gmt":"2022-04-11T20:22:59","slug":"installing-ubuntu-server-20-04-part-2","status":"publish","type":"post","link":"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/","title":{"rendered":"Installing Ubuntu Server 20.04 \u2013 part 2"},"content":{"rendered":"\n<p class=\"has-small-font-size\">Photo by <a href=\"https:\/\/unsplash.com\/@6heinz3r?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText\">Gabriel Heinzer<\/a> on <a href=\"https:\/\/unsplash.com\/s\/photos\/linux?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText\">Unsplash<\/a><\/p>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><h2>Overview<\/h2>\n<p>Following on from <a href=\"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-1\/\">part 1<\/a> the plan for today is:<\/p>\n<ul>\n<li>Automatic update Ubuntu.<\/li>\n<li>Setup email delivery so I can receive notifications when things go wrong.<\/li>\n<li>Monitor CPU temperature and tune power usage.<\/li>\n<li>Security monitoring and intrusion detection with tools like: rkhunter, logwatch, tiger and fail2ban.<\/li>\n<li>Additional hardening.<\/li>\n<\/ul>\n<h2>Automatic updates<\/h2>\n<p>It is crucial that a server receives security updates and in this section I will install &quot;automatic&quot; updates for Ubuntu. For more information see <a href=\"https:\/\/www.cyberciti.biz\/faq\/set-up-automatic-unattended-updates-for-ubuntu-20-04\/\">Cyberciti.biz&#8217;s post<\/a>.<\/p>\n<ul>\n<li>Update packages first.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo apt -y update &amp;&amp; sudo apt -y upgrade\n<\/code><\/pre>\n<ul>\n<li>Install unattended-upgrades that will automatically update for security packages.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo apt install unattended-upgrades apt-listchanges bsd-mailx\n\n# Turn it on\n$ sudo dpkg-reconfigure -plow unattended-upgrades\n<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/andrejacobs.org\/wp-content\/uploads\/2021\/11\/LP2.png\" alt=\"\"><\/p>\n<ul>\n<li>Configure email notifications. <strong>NOTE:<\/strong> I recommend you setup the email delivery system first in the next session and then come back to this part.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo vi \/etc\/apt\/apt.conf.d\/50unattended-upgrades\n\nUnattended-Upgrade::Mail &quot;user@somewhere.com&quot;;\n\n$ sudo vi \/etc\/apt\/listchanges.conf\n\nemail_address=user@somewhere.com\n<\/code><\/pre>\n<ul>\n<li>Verify by doing a dry run.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo unattended-upgrades --dry-run\n<\/code><\/pre>\n<ul>\n<li>Commit changes to etckeeper.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo etckeeper commit &quot;Configured automatic updates&quot;\n<\/code><\/pre>\n<h2>Email delivery<\/h2>\n<p>The server will not be receiving email but it still needs to be able to send email to me for alerts and notifications. I will setup the server to relay email via another mail server.<\/p>\n<p>The objective is to relay email from the server to another mail server for example: smtp.server.org at port 465 and to use TLS.<\/p>\n<ul>\n<li>Install <a href=\"http:\/\/www.postfix.org\/\">postfix<\/a>.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo apt install postfix\n<\/code><\/pre>\n<ul>\n<li>Select &quot;No configuration&quot;.<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/andrejacobs.org\/wp-content\/uploads\/2021\/11\/LP2-1.png\" alt=\"\"><\/p>\n<ul>\n<li>Configure postfix.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo cp \/usr\/share\/postfix\/main.cf.debian \/etc\/postfix\/main.cf\n$ sudo vi \/etc\/postfix\/main.cf\n\n# Add this to the bottom of the file\n# Replace SERVER with the mail server to use e.g. smtp.server.org\n# Replace PORT with the tcp port e.g 465\n\nrelayhost = [SERVER]:PORT\nsmtp_use_tls=yes\nsmtp_sasl_auth_enable = yes\nsmtp_sasl_password_maps = hash:\/etc\/postfix\/sasl_passwd\nsmtp_tls_CAfile = \/etc\/ssl\/certs\/ca-certificates.crt\nsmtp_sasl_security_options = noanonymous\nsmtp_tls_wrappermode = yes\nsmtp_tls_security_level = encrypt\n# Uncomment the following lines to debug any issues\n#debug_peer_list=SERVER\n#debug_peer_level=4\n<\/code><\/pre>\n<ul>\n<li>Create user credentials that will be used for delivering email. These are the credentials that the relay mail server requires.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo vi \/etc\/postfix\/sasl_passwd\n\n[SERVER]:PORT  username:password\n\n$ sudo postmap \/etc\/postfix\/sasl_passwd\n# Ensure permissions are correct\n$ sudo chown root \/etc\/postfix\/sasl_passwd*\n$ sudo chmod 0600 \/etc\/postfix\/sasl_passwd*\n$ ls -la \/etc\/postfix\/\n\n-rw-------   1 root root    66 Nov  2 19:52 sasl_passwd\n-rw-------   1 root root 12288 Nov  2 19:54 sasl_passwd.db\n<\/code><\/pre>\n<ul>\n<li>Restart postfix and check the logs.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\"># I will be monitoring the logs for a bit, so now is a good time to start\n# a tmux session\n$ tmux\n\n# Split the window into two vertical panes: Ctrl + b %\n# Switch to the left pane: Ctrl + b o\n# Restart postfix\ntmux$ sudo systemctl restart postfix\n\n# Switch to the other pane: Ctrl + b o\n# Start monitoring the log\ntmux$ sudo tail -f \/var\/log\/mail.log\n<\/code><\/pre>\n<ul>\n<li>Send a test email.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\"># To install the mail program\ntmux$ sudo apt install mailutils\n\n# Back in the left hand tmux pane (not the one monitoring the log)\ntmux$ echo &quot;The quick brown fox&quot; | mail -s &quot;Testing mail setup&quot; USER@MAIL.COM\n\n# You should receive the email shortly\n# Test that root can also send email\ntmux$ sudo su\ntmux$ echo &quot;The quick brown fox&quot; | mail -s &quot;Testing mail setup&quot; USER@MAIL.COM\n<\/code><\/pre>\n<ul>\n<li>To <strong>troubleshoot<\/strong> any issues.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\"># Enable debugging\n$ sudo vi \/etc\/postfix\/main.cf\n\n# Uncomment the lines you added previously\n\t\t\ndebug_peer_list=SERVER\ndebug_peer_level=4\n\n# Restart postfix and monitor the logs (Follow the tmux steps from earlier)\n$ sudo systemctl restart postfix\n$ sudo tail -f \/var\/log\/mail.log\n<\/code><\/pre>\n<ul>\n<li>Last thing to do is to ensure that cron jobs run by root can send emails to an external email instead of the local root user.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo crontab -e\n\nMAILTO=user@mail.com\n<\/code><\/pre>\n<ul>\n<li>Commit changes to etckeeper<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo etckeeper commit &quot;Setup email delivery&quot;\n<\/code><\/pre>\n<h2>Monitor CPU temperature<\/h2>\n<p>Now that we have email delivery setup, it is a good time to setup a cron job that can monitor CPU temperature and send me an email when things get to hot.<\/p>\n<ul>\n<li>Install lm-sensors.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo apt install lm-sensors\n<\/code><\/pre>\n<ul>\n<li>Run the following, and <strong>read very carefully<\/strong> and answers yes or no, generally the defaults are ok. <strong>This can screw up things if you are not careful!<\/strong><\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo sensors-detect\n$ sudo service kmod start\n\n# I chose the default option for 99% of the questions, just press ENTER\n# However this one, I answered yes so that the coretemp module can be loaded at reboots.\nDo you want to add these lines automatically to \/etc\/modules? (yes\/NO) yes\n<\/code><\/pre>\n<ul>\n<li>Check that it works.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo sensors\n\nacpitz-acpi-0\nAdapter: ACPI interface\ntemp1:        +27.8\u00b0C  (crit = +119.0\u00b0C)\ntemp2:        +29.8\u00b0C  (crit = +119.0\u00b0C)\n\ncoretemp-isa-0000\nAdapter: ISA adapter\nPackage id 0:  +28.0\u00b0C  (high = +80.0\u00b0C, crit = +100.0\u00b0C)\nCore 0:        +26.0\u00b0C  (high = +80.0\u00b0C, crit = +100.0\u00b0C)\nCore 1:        +28.0\u00b0C  (high = +80.0\u00b0C, crit = +100.0\u00b0C)\n<\/code><\/pre>\n<ul>\n<li>Create a script that can be run as a cron job to monitor CPU temperature and send an email when things get hot. This script will also shutdown the server if it gets to a critical temperature.\nI have been using this script for donkey years now and you can download a copy from my <a href=\"https:\/\/github.com\/andrejacobs\/scripts\/blob\/main\/NAS\/cputempmon.sh\">git repo<\/a>.<\/li>\n<\/ul>\n<p>The script works on two temperature levels. If a CPU Core temperature goes above WARN_TEMP then an email will be sent out. If a temperature goes above CRIT_TEMP then an email will be sent out and the system be shutdown after 10 seconds.<\/p>\n<pre><code class=\"language-bash\">$ sudo mkdir -p \/root\/scripts\n$ sudo vi \/root\/scripts\/cputempmon.sh\n<\/code><\/pre>\n<pre><code class=\"language-bash\">#!\/bin\/bash\n# Monitor CPU temperature and take action if needed\n# Andr\u00e9 Jacobs 14\/05\/2014\n# note: running on cron every minute, * * * * * \/....\/cputempmon.sh\n\nEMAIL=user@somewhere.com\nWARN_TEMP=70\nCRIT_TEMP=90\n\nwarn_flag=false\ncrit_flag=false\n\nfor line in `sensors | grep -oP &quot;Core\\s+\\d:\\s+\\+?(\\K\\d+)&quot;`; do\n    if [ ${line} -ge ${WARN_TEMP} ]; then\n        warn_flag=true\n    fi\n\n    if [ ${line} -ge ${CRIT_TEMP} ]; then\n        crit_flag=true\n    fi\ndone\n\nif [ &quot;${crit_flag}&quot; = true ]; then\n    \/bin\/echo &quot;CRITICAL: CPU temperature &gt;= ${CRIT_TEMP}&quot; | \/usr\/bin\/mail -s &quot;[Server] CRITICAL CPU Temperature!&quot; ${EMAIL}\n    sleep 10\n    \/sbin\/shutdown -h now\n    exit\nfi\n\nif [ &quot;${warn_flag}&quot; = true ]; then\n    \/bin\/echo &quot;WARNING: CPU temperature &gt;= ${WARN_TEMP}&quot; | \/usr\/bin\/mail -s &quot;[Server] WARNING CPU Temperature&quot; ${EMAIL}\nfi\n<\/code><\/pre>\n<ul>\n<li>Ensure only root can read and execute the script.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo chmod 700 \/root\/scripts\/cputempmon.sh\n$ sudo chmod 700 \/root\/scripts\/\n$ sudo chown -R root:root \/root\/scripts\n<\/code><\/pre>\n<ul>\n<li>Schedule a cron job to run every minute and run the script.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo crontab -e\n\n# Monitor CPU temperature every minute\n* * * * * \/root\/scripts\/cputempmon.sh\n<\/code><\/pre>\n<ul>\n<li>You can verify this works by lowering the WARN_TEMP and CRIT_TEMP values then run some intensive CPU task like sysbench.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sysbench --test=cpu --cpu-max-prime=1000000000 --threads=4 run\n<\/code><\/pre>\n<h2>Tuning power usage<\/h2>\n<p>In a later section I will cover how to tune the power down for hard disk idle times.<\/p>\n<ul>\n<li>Install powertop.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo apt install powertop\n<\/code><\/pre>\n<ul>\n<li>Run and tune as needed. You can use <code>tab<\/code> to switch tabs and the values to be tweaked can be found under the <code>Tunables<\/code> tab. You can press <code>enter<\/code> to allow powertop to tweak a setting.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo powertop\n<\/code><\/pre>\n<ul>\n<li>Before:<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/andrejacobs.org\/wp-content\/uploads\/2021\/11\/LP2-2.png\" alt=\"\"><\/p>\n<ul>\n<li>After:<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/andrejacobs.org\/wp-content\/uploads\/2021\/11\/LP2-3.png\" alt=\"\"><\/p>\n<h2>Security monitoring<\/h2>\n<p>In this section I will be installing various tools used to monitor the server and detect potential intrusions.<\/p>\n<h3>Rootkit hunting with rkhunter<\/h3>\n<p>rkhunter is great and it not only checks for known rootkits but it also does various other things including checking if files were modified.<\/p>\n<ul>\n<li>Install rkhunter.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo apt install rkhunter\n<\/code><\/pre>\n<ul>\n<li>Configure rkhunter.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo vi \/etc\/rkhunter.conf\n\n# Send email notifications\nMAIL-ON-WARNING=&quot;user@somewhere.com&quot;\n<\/code><\/pre>\n<ul>\n<li>Do an initial check.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo rkhunter --check --sk\n\n... # All is ok except this warning\nChecking for hidden files and directories                [ Warning ]\n\n# Check the log file to see what is being picked up\n$ sudo less \/var\/log\/rkhunter.log\n...\n[19:55:13] Warning: Hidden directory found: \/etc\/.git\n[19:55:13] Warning: Hidden file found: \/etc\/.etckeeper: ASCII text\n[19:55:13] Warning: Hidden file found: \/etc\/.gitignore: ASCII text\n\n# Note: If you configured the email reporting then you should have\n# also received an email from rkhunter warning you.\n<\/code><\/pre>\n<ul>\n<li>Whitelist the hidden files and directories found that is legit.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo vi \/etc\/rkhunter.conf\n\nALLOWHIDDENDIR=\/etc\/.git\nALLOWHIDDENFILE=\/etc\/.gitignore\nALLOWHIDDENFILE=\/etc\/.etckeeper\n\n# Perform the check again\n$ sudo rkhunter --check --sk\n<\/code><\/pre>\n<ul>\n<li>Ensure rkhunter runs at least once a day. A cron file exists <code>\/etc\/cron.daily\/rkhunter<\/code> that will be run daily. However the config file for this also need to be updated.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo vi \/etc\/default\/rkhunter\n\nCRON_DAILY_RUN=&quot;true&quot;\nREPORT_EMAIL=&quot;user@somewhere.com&quot;\n# This will ensure that rkhunter's database is updated when apt packages are installed or updated.\nAPT_AUTOGEN=&quot;true&quot;\n\n# Do a cron test run\n$ sudo \/etc\/cron.daily\/rkhunter\n<\/code><\/pre>\n<ul>\n<li><strong>NOTE:<\/strong> It used to be that you would update rkhunter&#8217;s known signatures etc. using a command like <code>sudo rkhunter --update<\/code> . However this will now fail because mirrors and the WEB_CMD has been disabled for good reason. It is better to update these through automatic updates and apt. The internet is full of examples showing how to edit the .conf file but with no real explanation as to what it is doing.<\/li>\n<li>Update the database when you make system changes. Run this when you have made changes and would like rkhunter to know about these changes and not raise false positives. To be honest I would use this sparingly and rather receive false positive warning emails come through that I can then investigate. This ensure that I know from time to time that rkhunter is still working as it should.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo rkhunter --propupd\n<\/code><\/pre>\n<ul>\n<li>I am happy with the initial setup and reporting. Time to update the database and etckeeper.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo rkhunter --propupd\n$ sudo etckeeper commit &quot;Configured rkhunter&quot;\n<\/code><\/pre>\n<h3>Log monitoring with logwatch<\/h3>\n<p>Logwatch will scan log files and send you a report. This is handy to pick up when things start going bad.<\/p>\n<ul>\n<li>Install logwatch.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo apt install logwatch\n\n# You will also need the following directory or the cron job will fail\n$ sudo mkdir \/var\/cache\/logwatch\n\n# NOTE: By now etckeeper should be doing auto commits\n[main 3e5c81f] committing changes in \/etc made by &quot;apt install logwatch&quot;\n# Aswell as rkhunter gets updated\n[ Rootkit Hunter version 1.4.6 ]\nFile updated: searched for 180 files, found 142\n<\/code><\/pre>\n<ul>\n<li>To get a summary report in the terminal.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo logwatch | less\n<\/code><\/pre>\n<ul>\n<li>To get an email report for the last 7 days.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo logwatch --mailto user@somewhere.com --output mail --format html --range 'between -7 days and today'\n<\/code><\/pre>\n<ul>\n<li>Configure logwatch.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\"># Copy the base config file so we can override it inside of \/etc\/\n$ sudo cp \/usr\/share\/logwatch\/default.conf\/logwatch.conf \/etc\/logwatch\/conf\/\n$ sudo vi \/etc\/logwatch\/conf\/logwatch.conf\n\n# Configure to send an HTML email\nOutput = mail\nFormat = html\nMailTo = user@somewhere.com\n\n# Initially I want as much info to be reported on until the system is tweaked\n# then it will go back to Low\nDetail = High\n<\/code><\/pre>\n<ul>\n<li>Logwatch should have been installed with a cron job to run daily at the file <code>\/etc\/cron.daily\/00logwatch<\/code>.\nYou can test this runs as expected.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo \/etc\/cron.daily\/00logwatch\n<\/code><\/pre>\n<ul>\n<li>Commit changes to etckeeper. <code>sudo etckeeper commit &quot;Configured logwatch&quot;<\/code><\/li>\n<\/ul>\n<h3>Security audit and intrusion detection with Tiger<\/h3>\n<ul>\n<li>Install <a href=\"https:\/\/www.nongnu.org\/tiger\/\">tiger<\/a>. Note this will also install the classic tripwire program.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo apt install tiger\n\n# Tripwire Configuration\n... create site key passphrase during installation? Yes\n... create local key passphrase during installation? Yes\nRebuild Tripwire configuration file? Yes\nRebuild Tripwire policy file? Yes\n\n# Generate a site and local key passphrase in your password manager and\n# then supply it when asked\n<\/code><\/pre>\n<ul>\n<li>Configure tiger.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo vi \/etc\/tiger\/tigerrc\n\n# Send email\nTiger_Mail_RCPT=&quot;user@somewhere.com&quot;\n<\/code><\/pre>\n<ul>\n<li>Tiger will run daily as a cron job as specified by the file <code>\/etc\/cron.d\/tiger<\/code>. Tripwire will also run daily under cron.<\/li>\n<li>Run tiger.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo tiger\n...\nSecurity report is in `\/var\/log\/tiger\/security.report.server.211102-19:42'\n\n$ sudo less \/var\/log\/tiger\/security.report.server.211102-19:42\n<\/code><\/pre>\n<ul>\n<li>Reports are stored in the directory: <code>\/var\/log\/tiger<\/code>.<\/li>\n<li>Commit changes to etckeeper<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo etckeeper commit &quot;Configured Tiger&quot;\n<\/code><\/pre>\n<h3>Automatic banning with fail2ban<\/h3>\n<p>Fail2ban will monitor log files and adjust firewall rules as needed to automatically ban network connections that look malicious.<\/p>\n<ul>\n<li>Install fail2ban.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo apt install fail2ban\n<\/code><\/pre>\n<ul>\n<li>Configure fail2ban.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo cp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local\n$ sudo vi \/etc\/fail2ban\/jail.local\n\n# Ban for 1 hour\nbantime  = 1h\n# &quot;maxretry&quot; is the number of failures before a host get banned.\nmaxretry = 3\n\n# You can use this value to not ban certain machines.\n#ignoreip = 127.0.0.1\/8 ::1\n\n# Send to email account\ndestemail = user@somewhere.com\n\n# ban &amp; send an e-mail with whois report and relevant log lines\naction = %(action_mwl)s\n\n# Configure SSH\n[sshd]\nmode    = aggressive\nport    = 8204 # Or whatever you used.\n<\/code><\/pre>\n<ul>\n<li>Restart and enable.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo systemctl restart fail2ban.service \n$ sudo systemctl enable fail2ban.service\n<\/code><\/pre>\n<ul>\n<li>Time to test this. Use another computer \/ IP that will be banned.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">someother$ ssh -p 8204 koos@server\nsomeother$ ssh -p 8204 koos@server\nsomeother$ ssh -p 8204 koos@server\n\n# Ok at this stage the IP got banned\n# Verify this on the server by checking the log\n$ sudo grep 'Ban' \/var\/log\/fail2ban.log\n\n$ sudo fail2ban-client status sshd\nStatus for the jail: sshd\n|- Filter\n|  |- Currently failed:\t1\n|  |- Total failed:\t4\n|  `- File list:\t\/var\/log\/auth.log\n`- Actions\n   |- Currently banned:\t1\n   |- Total banned:\t1\n   `- Banned IP list:\t192.168.x.x\n\n# Also you should be receiving a nice detailed email about the ban\n<\/code><\/pre>\n<ul>\n<li>Commit changes to etckeeper.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo etckeeper commit &quot;Configured fail2ban&quot;\n<\/code><\/pre>\n<h2>Additional hardening<\/h2>\n<ul>\n<li>Disable root account.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo passwd -l root\n<\/code><\/pre>\n<ul>\n<li>Tuning network kernel parameters with <code>sysctl<\/code><\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo vi \/etc\/sysctl.conf\n\n# prevent some spoofing attacks\nnet.ipv4.conf.default.rp_filter=1\nnet.ipv4.conf.all.rp_filter=1\n\n# SYN flood protection\nnet.ipv4.tcp_syncookies=1\nnet.ipv4.tcp_synack_retries = 5\n\n# Do not accept ICMP redirects (prevent MITM attacks)\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv6.conf.all.accept_redirects = 0\n\n# Do not send ICMP redirects (we are not a router)\nnet.ipv4.conf.all.send_redirects = 0\n# Do not accept IP source route packets (we are not a router)\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv6.conf.all.accept_source_route = 0\n\n# Log Martian Packets\nnet.ipv4.conf.all.log_martians = 1\n\n# Ignore bad ICMP errors\nnet.ipv4.icmp_ignore_bogus_error_responses=1\n\n# Ignore all ICMP echos and pings\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_echo_ignore_all = 1\n\n# Reboot 10 seconds after a kernel panic\nkernel.panic=10\n\n# Turn on address space layout randomization (ASLR)\nkernel.randomize_va_space=2\n\n# Hard link and symbolic link protection\nfs.protected_hardlinks=1\nfs.protected_symlinks=1\n\n---\n# To load the changes\n$ sudo sysctl -p\n\n# To see all the current values\n$ sudo sysctl -a\n<\/code><\/pre>\n<ul>\n<li>After doing the above you will no longer be able to ping the server on the network<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">local$ ping server\nPING server (192.168.x.x): 56 data bytes\nRequest timeout for icmp_seq 0\nRequest timeout for icmp_seq 1\n<\/code><\/pre>\n<ul>\n<li>Commit changes to etckeeper.<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">$ sudo etckeeper commit &quot;Configuring sysctl&quot;\n<\/code><\/pre>\n<h2>In the next sessions<\/h2>\n<ul>\n<li>Add existing RAID array and non raided disks back to the system.<\/li>\n<li>Setup Samba file sharing.<\/li>\n<li>Setup Time machine for Mac backups.<\/li>\n<\/ul>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Photo by Gabriel Heinzer on Unsplash [&#8230;]<\/p>\n<p><a class=\"understrap-read-more-link\" href=\"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/\">Read more &rarr;<\/a><\/p>\n","protected":false},"author":2,"featured_media":514,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[5],"tags":[47],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.13 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Installing Ubuntu Server 20.04 \u2013 part 2 - Andr\u00e9 Jacobs<\/title>\n<meta name=\"description\" content=\"Setup Ubuntu automatic updates, email delivery, cpu temperature monitoring and install security auditing and monitoring tools.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Installing Ubuntu Server 20.04 \u2013 part 2 - Andr\u00e9 Jacobs\" \/>\n<meta property=\"og:description\" content=\"Setup Ubuntu automatic updates, email delivery, cpu temperature monitoring and install security auditing and monitoring tools.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/\" \/>\n<meta property=\"og:site_name\" content=\"Andr\u00e9 Jacobs\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-02T20:41:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-04-11T20:22:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/andrejacobs.org\/wp-content\/uploads\/2021\/11\/gabriel-heinzer-4Mw7nkQDByk-unsplash.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1440\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Andr\u00e9 Jacobs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@andrejacobs81\" \/>\n<meta name=\"twitter:site\" content=\"@andrejacobs81\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Andr\u00e9 Jacobs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/\"},\"author\":{\"name\":\"Andr\u00e9 Jacobs\",\"@id\":\"https:\/\/andrejacobs.org\/#\/schema\/person\/3d38360883015e883c80c2fb875c5a68\"},\"headline\":\"Installing Ubuntu Server 20.04 \u2013 part 2\",\"datePublished\":\"2021-11-02T20:41:36+00:00\",\"dateModified\":\"2022-04-11T20:22:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/\"},\"wordCount\":1019,\"publisher\":{\"@id\":\"https:\/\/andrejacobs.org\/#\/schema\/person\/3d38360883015e883c80c2fb875c5a68\"},\"keywords\":[\"Ubuntu\"],\"articleSection\":[\"Linux\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/\",\"url\":\"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/\",\"name\":\"Installing Ubuntu Server 20.04 \u2013 part 2 - Andr\u00e9 Jacobs\",\"isPartOf\":{\"@id\":\"https:\/\/andrejacobs.org\/#website\"},\"datePublished\":\"2021-11-02T20:41:36+00:00\",\"dateModified\":\"2022-04-11T20:22:59+00:00\",\"description\":\"Setup Ubuntu automatic updates, email delivery, cpu temperature monitoring and install security auditing and monitoring tools.\",\"breadcrumb\":{\"@id\":\"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/andrejacobs.org\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Installing Ubuntu Server 20.04 \u2013 part 2\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/andrejacobs.org\/#website\",\"url\":\"https:\/\/andrejacobs.org\/\",\"name\":\"Andr\u00e9 Jacobs\",\"description\":\"iOS Development, Electronics, Robotics, Artificial Intelligence, Business and Health\",\"publisher\":{\"@id\":\"https:\/\/andrejacobs.org\/#\/schema\/person\/3d38360883015e883c80c2fb875c5a68\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/andrejacobs.org\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-GB\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/andrejacobs.org\/#\/schema\/person\/3d38360883015e883c80c2fb875c5a68\",\"name\":\"Andr\u00e9 Jacobs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/andrejacobs.org\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/andrejacobs.org\/wp-content\/uploads\/2019\/03\/andre_jacobs.jpg\",\"contentUrl\":\"https:\/\/andrejacobs.org\/wp-content\/uploads\/2019\/03\/andre_jacobs.jpg\",\"width\":450,\"height\":450,\"caption\":\"Andr\u00e9 Jacobs\"},\"logo\":{\"@id\":\"https:\/\/andrejacobs.org\/#\/schema\/person\/image\/\"},\"sameAs\":[\"https:\/\/andrejacobs.org\",\"https:\/\/www.youtube.com\/channel\/UCzqXvnd_UJ3sAzQkQBD-IVw\"],\"url\":\"https:\/\/andrejacobs.org\/author\/andre\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Installing Ubuntu Server 20.04 \u2013 part 2 - Andr\u00e9 Jacobs","description":"Setup Ubuntu automatic updates, email delivery, cpu temperature monitoring and install security auditing and monitoring tools.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/","og_locale":"en_GB","og_type":"article","og_title":"Installing Ubuntu Server 20.04 \u2013 part 2 - Andr\u00e9 Jacobs","og_description":"Setup Ubuntu automatic updates, email delivery, cpu temperature monitoring and install security auditing and monitoring tools.","og_url":"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/","og_site_name":"Andr\u00e9 Jacobs","article_published_time":"2021-11-02T20:41:36+00:00","article_modified_time":"2022-04-11T20:22:59+00:00","og_image":[{"width":1920,"height":1440,"url":"https:\/\/andrejacobs.org\/wp-content\/uploads\/2021\/11\/gabriel-heinzer-4Mw7nkQDByk-unsplash.jpg","type":"image\/jpeg"}],"author":"Andr\u00e9 Jacobs","twitter_card":"summary_large_image","twitter_creator":"@andrejacobs81","twitter_site":"@andrejacobs81","twitter_misc":{"Written by":"Andr\u00e9 Jacobs","Estimated reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/#article","isPartOf":{"@id":"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/"},"author":{"name":"Andr\u00e9 Jacobs","@id":"https:\/\/andrejacobs.org\/#\/schema\/person\/3d38360883015e883c80c2fb875c5a68"},"headline":"Installing Ubuntu Server 20.04 \u2013 part 2","datePublished":"2021-11-02T20:41:36+00:00","dateModified":"2022-04-11T20:22:59+00:00","mainEntityOfPage":{"@id":"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/"},"wordCount":1019,"publisher":{"@id":"https:\/\/andrejacobs.org\/#\/schema\/person\/3d38360883015e883c80c2fb875c5a68"},"keywords":["Ubuntu"],"articleSection":["Linux"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/","url":"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/","name":"Installing Ubuntu Server 20.04 \u2013 part 2 - Andr\u00e9 Jacobs","isPartOf":{"@id":"https:\/\/andrejacobs.org\/#website"},"datePublished":"2021-11-02T20:41:36+00:00","dateModified":"2022-04-11T20:22:59+00:00","description":"Setup Ubuntu automatic updates, email delivery, cpu temperature monitoring and install security auditing and monitoring tools.","breadcrumb":{"@id":"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/andrejacobs.org\/linux\/installing-ubuntu-server-20-04-part-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/andrejacobs.org\/"},{"@type":"ListItem","position":2,"name":"Installing Ubuntu Server 20.04 \u2013 part 2"}]},{"@type":"WebSite","@id":"https:\/\/andrejacobs.org\/#website","url":"https:\/\/andrejacobs.org\/","name":"Andr\u00e9 Jacobs","description":"iOS Development, Electronics, Robotics, Artificial Intelligence, Business and Health","publisher":{"@id":"https:\/\/andrejacobs.org\/#\/schema\/person\/3d38360883015e883c80c2fb875c5a68"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/andrejacobs.org\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-GB"},{"@type":["Person","Organization"],"@id":"https:\/\/andrejacobs.org\/#\/schema\/person\/3d38360883015e883c80c2fb875c5a68","name":"Andr\u00e9 Jacobs","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/andrejacobs.org\/#\/schema\/person\/image\/","url":"https:\/\/andrejacobs.org\/wp-content\/uploads\/2019\/03\/andre_jacobs.jpg","contentUrl":"https:\/\/andrejacobs.org\/wp-content\/uploads\/2019\/03\/andre_jacobs.jpg","width":450,"height":450,"caption":"Andr\u00e9 Jacobs"},"logo":{"@id":"https:\/\/andrejacobs.org\/#\/schema\/person\/image\/"},"sameAs":["https:\/\/andrejacobs.org","https:\/\/www.youtube.com\/channel\/UCzqXvnd_UJ3sAzQkQBD-IVw"],"url":"https:\/\/andrejacobs.org\/author\/andre\/"}]}},"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/andrejacobs.org\/wp-content\/uploads\/2021\/11\/gabriel-heinzer-4Mw7nkQDByk-unsplash.jpg","_links":{"self":[{"href":"https:\/\/andrejacobs.org\/wp-json\/wp\/v2\/posts\/512"}],"collection":[{"href":"https:\/\/andrejacobs.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andrejacobs.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andrejacobs.org\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/andrejacobs.org\/wp-json\/wp\/v2\/comments?post=512"}],"version-history":[{"count":2,"href":"https:\/\/andrejacobs.org\/wp-json\/wp\/v2\/posts\/512\/revisions"}],"predecessor-version":[{"id":515,"href":"https:\/\/andrejacobs.org\/wp-json\/wp\/v2\/posts\/512\/revisions\/515"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andrejacobs.org\/wp-json\/wp\/v2\/media\/514"}],"wp:attachment":[{"href":"https:\/\/andrejacobs.org\/wp-json\/wp\/v2\/media?parent=512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andrejacobs.org\/wp-json\/wp\/v2\/categories?post=512"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andrejacobs.org\/wp-json\/wp\/v2\/tags?post=512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}