# How to setup new ubuntu or centos server

## **NEW Virtual Machine SETUP**

Ssh into the server using any of the ssh keys that you enabled during the configuration setup step. For example, ssh root@162.x.x.x

Once you ssh into the server, update the software packages

```plaintext
apt update 
apt upgrade -y 
```

Disable password authentication

```plaintext
vim /etc/ssh/sshd_config
```

change Password authentication to no

```plaintext
PasswordAuthentication yes
```

to

```plaintext
PasswordAuthentication no
```

Disable Empty Passwords

```plaintext
PermitEmptyPasswords no
```

Install several packages that are necessary

```plaintext
apt install -y curl tmux zsh vim mosh unzip iftop vim net-tools nmap
apt  install -y  nload iotop htop
apt install -y git python  python3 python3-pip
apt install -y ca-certificates
update-ca-certificates
curl https://rclone.org/install.sh | sudo bash
```

install unattended-upgrade packages to update only security packages

```plaintext
apt install unattended-upgrades
```

Install docker-compose

```plaintext
curl -L https://github.com/docker/compose/releases/download/1.26.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
cd /usr/local/bin && chmod 755 docker-compose
echo "export PATH=$PATH:/usr/local/bin" >> /root/.bashrc
```

Set time zone to India

```plaintext
timedatectl set-timezone Asia/Kolkata
```

add a new user as ubuntu

```plaintext
adduser --disabled-password ubuntu
```

add user  to sudo group

```plaintext
adduser ubuntu sudo 
```

edit visudo

```plaintext
visudo
```

add the following (for centos change name )

```plaintext
ubuntu ALL = NOPASSWD : ALL
```

save and exit

remove root login if required

```plaintext
 vim /etc/ssh/sshd_config
```

edit the following line

```plaintext
PermitRootLogin yes
```

to

```plaintext
PermitRootLogin no
```

After changing, save and exit

keep another session open and restart the ssh or sshd service

```plaintext
systemctl restart sshd
systemctl restart ssh
```

## **Now all the next series of commands must be run as the newly created Ubuntu user**

```plaintext
su - ubuntu
```

Download the script to install oh-my-zsh

```plaintext
wget https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh && chmod 755 install.sh
```

Install oh-my-zsh using the downloaded script:

```bash
/install.sh --unattended && rm -f install.sh
```

Inside the .zshrc file, change zsh theme to agnoster like below

```bash
vim .zshrc

ZSH_THEME="agnoster"
```

Inside the .zshrc file, add conf for zsh plugins:

```bash
plugins=(git docker docker-compose tmux common-aliases zsh-syntax-highlighting jsontools)
```

Clone extra repos for zsh plugins:

```bash
git clone https://github.com/zsh-users/zsh-autosuggestions ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions && git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ~/.oh-my-zsh/custom/plugins/zsh-syntax-highlighting
```

Update the default shell to zsh:

```bash
sudo usermod -s /bin/zsh centos
```

Update the default shell to zsh:

```bash
sudo usermod -s /bin/zsh centos
```

Log out from the ssh terminal completely and then ssh again.

```bash
su - ubuntu
```

Install docker:

```bash
sudo curl -fsSL https://get.docker.com/ | sh
```

Allow ubuntu user to use docker commands:

```bash
sudo usermod -aG docker ubuntu
```

Logout and Login again

```plaintext
su - ubuntu
sudo systemctl enable docker && sudo systemctl start docker
```

## **Setup basic firewall  to manage ports (shorewall or iptables -persistent)**

Iptables-Persistent

To see the rules on your system, you can use the following `iptables` command.

```bash
sudo iptables -L
```

### **Save iptables rules on DEB-based systems**

install the iptables-persistent package using the apt package manager:

```plaintext
sudo apt install iptables-persistent
```

Any current iptables rules will be saved to the corresponding IPv4 and IPv6 files below:

```plaintext
/etc/iptables/rules.v4
/etc/iptables/rules.v6
```

To update persistent iptables with new rules simply use `iptables` command to include new rules into your system. To make changes permanent after reboot run `iptables-save` command:

```plaintext
sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6
```

To remove persistent iptables rules simply open a relevant `/etc/iptables/rules.v*` file and delete lines containing all unwanted rules.

### **Save iptables rules on RPM-based systems**

install the `iptables-services` package using the yum or dnf  package manager:

```plaintext
sudo yum install iptables-services
```

Any currently erected iptables rules will be saved to the corresponding IPv4 and IPv6 files below:

```plaintext
/etc/sysconfig/iptables
/etc/sysconfig/ip6tables
```

Make sure that you disable firewalld and enable the iptables service in systemd.

```plaintext
sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl start iptables
sudo systemctl enable iptables
```

You can then make sure that the service is running with the following command:

```plaintext
sudo systemctl status iptables
```

To update persistent iptables with new rules simply use `iptables` command to include new rules into your system. To make changes permanent after reboot run `iptables-save` command:

```plaintext
sudo iptables-save > /etc/sysconfig/iptables
sudo ip6tables-save > /etc/sysconfig/ip6tables
```

To remove persistent iptables rules simply open a relevant `/etc/sysconfig/iptables` or `/etc/sysconfig/ip6tables` file and delete lines containing all unwanted rules

### **Install fail2ban**

The fail2ban system is an intrusion prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban will block access from that IP address.

To install fail2ban, open a terminal window and issue the command:

```plaintext
sudo apt install fail2ban
```

Within the directory /etc/fail2ban, you'll find the main configuration file, jail.conf. Also in that directory is the subdirectory, jail.d. The jail.conf file is the main configuration file and jail.d contains the secondary configuration files. Do not edit the jail.conf file. Instead, we’ll create a new configuration that will monitor SSH logins with the command:

```plaintext
sudo vim /etc/fail2ban/jail.local
```

In this new file add the following contents:

```plaintext
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
```

This configuration does the following:

* Enables the jail.
    
* Sets the SSH port to be monitored to 22.
    
* Uses the sshd filter.
    
* Sets the log file to be monitored.
    

Save and close that file. Restart fail2ban with the command:

```plaintext
sudo systemctl restart fail2ban
```
