Ubuntu Server

Ubuntu Server is my server of choice as of 2012 because of its support (5 years), relatively recent (the 12.04 as of writing of this page), completely free, based on Debian, etc. Not really anymore but I still have vm running it. It has got quite a bit of annoyances (at least for me).

Removing useless packages

apt-get purge byobu libapparmor1 bash-completion command-not-found libapparmor-perl screen command-not-found-data apparmor apparmor-utils whoopsie
  • I’m not a fan of byobu/screen
  • I find bash-completion to be awesomely annoying
  • command-not-found slows thing out
  • apparmor can go to hell
  • whoopsie reports thing to Canonical. Funny

Disabling apparmor

lxc pulls in apparmor again. Disabling it while keeping it installed can be done by editing /etc/default/grub and adding apparmor=0 to GRUB_CMDLINE_LINUX. Don’t forget to run update-grub.

Basic sources.list

###### Ubuntu Main Repos
deb http://us.archive.ubuntu.com/ubuntu/ precise main restricted universe multiverse
#deb-src http://us.archive.ubuntu.com/ubuntu/ precise main restricted universe multiverse

###### Ubuntu Security Update Repos
deb http://security.ubuntu.com/ubuntu/ precise-security main restricted universe multiverse
#deb-src http://security.ubuntu.com/ubuntu/ precise-security main restricted universe multiverse

###### Ubuntu General Update Repos
deb http://us.archive.ubuntu.com/ubuntu/ precise-updates main restricted universe multiverse
#deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates main restricted universe multiverse

###### Ubuntu Backport Repos
deb http://us.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
#deb-src http://us.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse

Standard stuff. The one above is for 12.04.

Multi-round password hashing

Append rounds=5000 to this line in /usr/share/pam-configs/unix:

        [success=end default=ignore]    pam_unix.so obscure sha512

It should then looks like this:

        [success=end default=ignore] pam_unix.so obscure sha512 rounds=5000

Followed by running pam-auth-update.

And then (optionally) uncomment SHA_CRYPT_MIN_ROUNDS in /etc/login.defs.

Don’t forget to rerun passwd for all users.

Set root password

sudo passwd root

Not setting root password will allow people with physical access to boot into single user mode and gain root access without password. It’s not like hacking into a server which attacker has physical access is hard but at least he’ll be forced to bring (and boot) his own bootable media.

noatime mount

The only use case for atime is (as far as I know) for mailbox but even that one isn’t really problematic anymore nowadays. Open up /etc/fstab, add noatime mount option to all on-disk filesystems.

Disable vesa boot

Mainly for virtualized environment since I don’t usually look at its console screen.

First, the grub. Open /etc/default/grub, uncomment the following line:

GRUB_TERMINAL=console

Update grub.cfg by running update-grub.

And then the console itself. Comment the following lines in /etc/default/console-setup:

FONTFACE="Fixed"
FONTSIZE="16"

And then uncomment blacklist vesafb in /etc/modprobe.d/blacklist-framebuffer.conf.

Disable terminal 2-6

Mostly for low-end VM which need all the RAMs it can have.

for i in 2 3 4 5 6; do echo "manual" > "/etc/init/tty${i}.override"; done

Disable rDNS for sshd

There isn’t much use doing rDNS lookup for sshd and it causes slow down when connecting.

Disable it with:

echo 'UseDNS no' >> /etc/ssh/sshd_config
service ssh reload

Disable known_hosts hashing

It makes reading known_hosts almost impossible since the host names are hashed instead of using plain text. Unless you plan on connecting to weirdly named servers, it’s better to disable it so the file can be easily read.

Comment this line in /etc/ssh/ssh_config:

    HashKnownHosts yes

So it looks like this:

#   HashKnownHosts yes

Leave a Reply

Your email address will not be published.