# Ubuntu Server Maintenance

Pere Villega published on
7 min, 1358 words

Categories: devops

This guide will show some basic stuff you might need to maintain an Ubuntu server. You might not need all of them, but thy are handy enough and I’ve had to use them at least once.

## Secure a fresh Ubuntu installation

Original source: Mensk

When you install your fresh server, you have a completely unsafe Ubuntu installation. To make it a bit safer, follow these steps (change names and ports accordingly): Login as root (via ssh or using the console, it depends on your physical access to the machine) and change root password:

passwd


    adduser jsmith
visudo


Append this line to end of file (to navigate within ‘vi’ editor to create next line - use these: L, $, a, ):  jsmith ALL=(ALL) ALL  To save and exit do: , :wq, . Now let’s set up SSH configuration:  nano /etc/ssh/sshd_config  Find Port 22 and change number to something different (12345) to make hacking more difficult.Then change the following settings:  PermitRootLogin no X11Forwarding no UsePAM no  Append these lines to the very end:  UseDNS no AllowUsers jsmith  After this, we must secure the server with iptables  iptables-save > /etc/iptables.up.rules nano /etc/iptables.test.rules  Copy contents of this file (content below) and paste it into ‘iptables.test.rules’  *filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections # # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE # -A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT  Change port number to your SSH port number on this line:  -A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT  Save and exit (Ctrl+O, Ctrl+X). To apply new iptables rules:  iptables-restore < /etc/iptables.test.rules  Then save iptables rules permanently:  iptables-save > /etc/iptables.up.rules  Make sure iptables rules will apply when server is rebooted as well:  nano /etc/network/interfaces  Add new line after these 2:  auto lo iface lo inet loopbackpre-up iptables-restore < /etc/iptables.up.rules  Save and exit. Reload SSH to use new ports and configurations:  /etc/init.d/ssh reload  Keep ‘root’ session running and open second session. SSH login to your slice to new port, with your new username and password:  ssh -p 12345 [email protected]  If you logged on successfully via your new username: ‘jsmith’ - you may close ‘root’ session now. If not - you still have ‘root’ session opened to fix problems. As your user, edit .bashrc file to make terminal window a bit more helpful:  nano ~/.bashrc  Append these lines to the end of it:  export PS1="$\e[32;1m$\u$\e[0m$$\e[32m$@\h$\e[36m$\w $\e[33m$\$ $\e[0m$"
alias ll="ls -la"
alias a2r="sudo /etc/init.d/apache2 stop && sleep 2 && sudo /etc/init.d/apache2 start"
alias n2r="sudo /etc/init.d/nginx stop && sleep 2 && sudo /etc/init.d/nginx start"
alias ver="cat /etc/lsb-release"


Save and exit. Reload .bashrc to make changes active:

    source ~/.bashrc


Update sources:

    sudo aptitude update


Set system locale:

    sudo locale-gen en_US.UTF-8
sudo /usr/sbin/update-locale LANG=en_US.UTF-8


    sudo aptitude -y safe-upgrade


## Clean the server (via UbuntuGeek)

I have a special fixation on cleaning my servers. I don’t want any extra file (package, log, whatever) to be there if it is not needed. That’s why when I discovered UbuntuCleaner I got quite happy. This tools does this for you:

• Cleans apt cache

• Removes config files left from uninstalled .deb packages(it happens if you don’t use the –purge switch with apt-get)

• Removes every kernel except the one you are using

• Empties the trashes of every user(including root)

It uses apt and the kernel removing thing searches for ubuntu-only packages, so it can’t work on non-debian system and the result is undetermined for other debian-based system, but you can still use the other features of the script(you’ll just have to comment the parts you don’t want).

The script assumes that you are using the text-based Aptitude application, rather than apt-get and dpkg. If you are not using Aptitude, you should also replace the reference to aptitude clean with apt-get clean and the reference to aptitude purge to dpkg –purge.This can be done done by editing the following script. First you need to download the script from here or using the following command

    wget http://www.opendesktop.org/CONTENT/content-files/71529-ubucleaner.sh


Now you should have 71529-ubucleaner.sh file you need to give execute permissions using the following command

    sudo chmod +x 71529-ubucleaner.sh


Run the script using the following command

    ./71529-ubucleaner.sh


## Upgrading to a new release (via HowToForge)

For an Ubuntu server, the main advice is to stick to LTS releases, due to their stability. That said, sometimes you might need to upgrade to a non-LTS release, as it happened to me when Launchpad was released and I wanted to install it (it required 9.04). So here I will describe the steps needed to update your distribution. It assumes you are running a server (no X11 installed) and this is your first upgrade:

First become root:

    sudo su


Then run

    apt-get update


and install the package update-manager-core:

    apt-get install update-manager-core


If you are running a LTS release, open the file /etc/update-manager/release-upgrades

    vi /etc/update-manager/release-upgrades


and change Prompt=lts to Prompt=normal. Then run

    do-release-upgrade


## Enabling PHP-FastCGI (via HowToForge)

If you need to run fastcgi scripts on your Ubuntu 9.04 machine, you are lucky as this version provides a FastCGI-enabled PHP5 package. To activate it: Install PHP5 on Ubuntu:

    aptitude install php5-cgi php5-mysql php5-curl
php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt
php5-memcache php5-mhash php5-ming php5-pspell php5-recode php5-snmp
php5-sqlite php5-tidy php5-xmlrpc php5-xsl


Then open /etc/php5/cgi/php.ini and add the line

     cgi.fix_pathinfo = 1


right at the end of the file. This enables the FastCGI package. But there’s no standalone FastCGI daemon package for Ubuntu 9.04, therefore we use the spawn-fcgi program from lighttpd. We install lighttpd as follows:

    aptitude install lighttpd
update-rc.d -f lighttpd remove


so that lighttpd will not start at boot time, as we’ve installed lighttpd because we need just one program that comes with the package, /usr/bin/spawn-fcgi, which we can use to start FastCGI processes. Of course, you don’t want to type in that command manually whenever you boot the system, so to have the system execute the command automatically at boot time, open /etc/rc.local

    vi /etc/rc.local


and add the command at the end of the file (before the exit line):

    /usr/bin/spawn-fcgi -a 127.0.0.1 -p 9000 -u www-data -g www-data -f /usr/bin/php5-cgi -P /var/run/fastcgi-php.pid