Interesting commands:

Basic Server configuration

When I have a brand new server these are the commands executed in the first 5 minutes. The propose is to have a confortable but secure enviroment to start working with.

Server side

All this commands are executed as root.

passwd

Change the password of the root:

passwd

Update the system

aptitude update
aptitude safe-upgrade

Insall essential packages

aptitude install sudo vim zsh         # Essential stuff
aptitude install openssh-server       # Just in case is not already installed
aptitude install iptables fail2ban    # For securing the network
aptitude install rcconf               # Handy Runlevel Configuration Tool in ncurses
aptitude install molly-guard          # Prevents reboot/shutdown machines erroneously
aptitude install etckeeper mercurial  # Put all your /etc files under a repository
aptitude install rsync                # Very useful

adduser

sudo adduser jan

Grant privileges

adduser jan sudo

Change the default shell

chsh -s $(which zsh) root
chsh -s $(which zsh) jan

Configure etckeeper

etckeeper init
etckeeper commit

Useful but not required steps

Disable PermitRootLogin in sshd file.
Disable X11Forwarding in sshd file.
Then run: sudo service ssh reload

Change the maxretry to 10 in /etc/fail2ban/jail.conf
Then run: sudo service fail2ban reload

Laptop side

This commands are executed after execute the commands in the Server Side section.

All this commands are executed by a non-privileged user.

Configure the hosts file

We already know the IP of our server (I'll use SERVER_IP) and we can have a domain name associated to it. If we don't, we can use a friendly name like: liz, sam, abbie, mia, pulga, etc (there are real names of my machines). The domain name or the friendly alias will be refered as DOMAIN from now on.

echo "SERVER_IP DOMAIN " | sudo tee -a /etc/hosts

Configure SSH

Generating keys

We will create a RSA key and we will copy it to the remote server. Note that all the parameters such as comment or name_kay are replaced by real values.

After the key as been generated, we use ssh-copy-id for being able to append our brand new public key to the authorized_hosts file in the server (both root and user).

PLEASE, when creating then new RSA pair DEFINE A PASSPHRASE! If your PC/laptop is compromised and your private keys are not protected all you servers will be compromised, too. Be a good guy and set a strong passowrd to your private keys.

cd ~/.ssh
ssh-keygen -t rsa -b 2048  -C COMMENT -f NAME_KEY
ssh-copy-id -i NAME_KEY.pub jan@$HOST
ssh-copy-id -i NAME_KEY.pub root@$HOST

.ssh/config file

You normally will have to execute something like "ssh jan@machinename.com -i ~.ssh/NAME_KEY". The follow configuration will allow you to execute "ssh FRIENLY_NAME" without having to specify the IdentityFile (private key) and the username every time.

(Note: if the file does not exist create it)

Host DOMAIN FRIENDLY_NAME
	IdentityFile ~/.ssh/NAME_KEY
	ControlMaster auto
	ControlPath /tmp/%r@%h:%p
	User jan

The ControlMaster and ControlPath is used for being able to reuse an already created SSH connection to you server. Insted of creating a new TCP connection every time you type "ssh SOMETHING", using the ControlMaster will allow you to reuse a previously created connection. This results in a significant improvement in the connection speed when you already have a connection to the server.

SSH Tip

I really encourage to use the SSH Agent by doing ssh-add ~/.ssh/NAME_KEY before making a connection to one of you servers. The agent will ask you your password for the private key, and you will not have to type it every time you want to access to a remote machine using this privat key. Very useful tip.

iptables

This is a custom command. I've explained how my iptables is configured. You can see the file directly, though.

scp /etc/init.d/iptables root@$HOST:/etc/init.d/
ssh root@HOST "rcconf --on iptables && /etc/init.d/iptables start"

dotfiles

You will see more information about my dotfiles in the frontpage of this wepage.

scp -r ~/{.vimrc,.vim,.zshrc,.shell} jan@HOST:
scp -r ~/{.vimrc,.vim,.zshrc,.shell} root@HOST: