Linux Post-Installation Steps

This guide is a walkthrough of all the important steps for a new Linux installation. The steps below will be written for Ubuntu Server, however can mostly be applied to any Linux distro. The final section will cover any additional steps to take on a Raspberry Pi running Ubuntu Server.

Passwordless SSH

PuTTY

This section will cover how to configure PuTTY to sign into your machine via SSH without the need for a password. See the below sections for information on other methods (MacOS, Disable Password Login, etc.).

If you haven’t already, download and install PuTTY. After installation completes, run PuTTYgen.
From the Key menu, select SSH-2 RSA Key. Under the Parameters section, make sure RSA is selected. Enter 2048 as the number of bits.
Click Generate.
After the keys are generated, add a descriptive Key comment to help you easily identify your key and Save both keys (Public and Private Keys) to a secure location. Do NOT close the PuTTYgen window yet.

Pay extra attention to where you save the Private Key because if anyone steals this key it can perform logins to your server without the need to enter a password.

Copy the text from Public key for pasting into authorized_keys file: and paste it into a new text document.

SSH into the Linux machine as the user you want to login as without a password, then edit the authorized_keys file.

pwd                 ## Check to see if you are in the correct $HOME location
mkdir .ssh          ## Create the .ssh folder if it isn't already there
nano .ssh/authorized_keys

Paste in the contents of the SSH key from the text document. Exit and save the document using Ctrl+X, Y, Enter.

Double check that the key saved and secure the .ssh folder with 700 permissions:

cat .ssh/authorized_keys
chmod -R 700 .ssh/
exit

In order to automatically use this key in PuTTY, open Putty and enter or load the configuration for the Linux machine. In the Connection > SSH > Auth category, click Browse and select your private key (.ppk file). Return to the Session category and save the configuration.

MacOS

This section coming soon

Once you have passwordless SSH login successfully configured, you can disable password logins by editing the sshd_config file using:
```
1
sudo nano /etc/ssh/sshd_config
```
Uncomment the line PasswordAuthentication yes and change the value to no, then add the line ChallengeResponseAuthentication no. Save the config using Ctrl+X, Y, Enter.

Restart the SSH server using:

sudo systemctl restart ssh

Updates

Now that we’re logged into the Linux machine without a password, we will update the machine and configure automatic updates.

Update the apt package index and install any updates:

sudo apt-get update
sudo apt-get upgrade

Configure automatic updates using unattended-upgrades:

sudo apt-get install unattended-upgrades

If you get a response that looks like this: 0 upgraded, 0 newly installed,... run the following to reconfigure the package:

sudo dpkg-reconfigure --priority=low unattended-upgrades

Select Yes to automatically download and install updates.

Additional Accounts, Sudoers, Disable Root

Add New User

For this section, “andrew” will be used as the new user’s username. Usernames are case-sensitive.

Add a new user to the machine using the adduser command:

sudo adduser andrew

Enter a password and verify that password.
Add name and additional information, if pertinent, and verify the information.

Sudoers

To add a user to the sudoers group, use the following:

sudo usermod -aG sudo andrew

Check the users sudo permissions:

sudo -l -U andrew

To manually edit the sudoers file and/or set sudo permissions to not require a password, use the following:
```
1
sudo visudo
```
In the editor that opens, you can change the sudo permissions for any user or group. To add a nopasswd permission to a user, add the following under # User privilege specification:
```
1
andrew  ALL=(ALL) NOPASSWD:ALL
```
To add nopasswd permissions for the entire sudo group, add the following under # Allow members of group sudo to execute any command:
```
1
%sudo   ALL=(ALL) NOPASSWD: ALL
```

The root user is already disabled by default in Ubuntu, but this step may be useful in other distros.

Check to see if the root account is enabled:
```
1
grep root /etc/passwd
```
If you get a response of root:x:0:0:root:/root:bin/sh, then the root account is enabled.

Disable logins for the root account:

sudo passwd -l root

Static IP Configuration

This section applies to Ubuntu installations that use netplan.

Ideally, use the “belt and suspenders” approach: reserve the IP in your DHCP scope as well as set the IP on the server itself.

This section will suppose that you are assigning a static IP of 10.0.0.100 to a machine connected to a router at 10.0.0.1, in the 255.255.255.0 subnet (/24 netmask), using 1.1.1.1 and 1.0.0.1 as its DNS addresses.

You can check your machine’s current IP configuration using ip a and find the machine’s MAC address using ifconfig -a.

Edit the netplan configuration using:

cd /etc/netplan/
ls
##  Find your configuration .yaml file and edit it using nano
sudo nano 01-netcfg.yaml

Modify the .yaml file, following the proper netplan formatting:

network:
 version: 2
 ethernets:
     enp2s0: ## Do not change from whatever your machine's default is
         match: ## This and the next two lines are optional, but must be enabled/disabled TOGETHER
             macaddress: <YOUR MAC ID HERE> ## Set your machine's MAC address here
         set-name: eth0 ## Optional, use to change the interface name to 'eth0'
         dhcp4: no
         addresses:
             - 10.0.0.100/24
         nameservers:
             addresses: [1.1.1.1, 1.0.0.1]
         routes:
             - to: default
                 via: 10.0.0.1

Save and close the file using Ctrl+X, Y, Enter, then apply the new netplan using:
```
1
sudo netplan apply
```
If you changed the IP address to something different than it previously was, it will disconnect your SSH session and you will have to reconnect to the new IP address.

Fix LVM and Partitioning

This section is specific to non-Raspberry-Pi Ubuntu installations.

Access the Logical Volume Manager (LVM) using lvm and the following commands:

sudo lvm
lvextend -l +100%FREE /dev/ubuntu-vg/ubuntu-lv
exit

Finally, use resize2fs to resize the volume:

sudo resize2fs /dev/ubuntu-vg/ubuntu-lv

Set / Change Hostname

Run hostname to see your current hostname, or use hostnamectl to get more information.
To change your hostname, run the following, where {host} is your desired hostname.

sudo hostnamectl set-hostname {host}

Edit the hosts file:

sudo nano /etc/hosts

Replace the old hostname if it is present.

Set Time Zone and NTP Server

Run timedatectl to see the currently configured time zone. If this is correct, skip to Step 3. Time zones must follow tz database format. You can view all time zones using timedatectl list-timezones.

If this is incorrect, set the correct time zone using:

sudo timedatectl set-timezone America/New_York

Check the current NTP configuration using systemctl status systemd-timesyncd. If you wish to change the NTP server, move on to the next step.
Edit the timesyncd configuration using sudo nano /etc/systemd/timesyncd.conf.
Set the content of the [Time] block to:
```
1
2
3
[Time]
NTP=
FallbackNTP=time.google.com
```
Leaving NTP= uncommented and assigned to an empty string resets the list of NTP servers. Configuring Google Public NTP as the fallback server will cause it to be selected as the only NTP server.
Restart systemd-timesyncd using sudo systemctl restart systemd-timesyncd.service.
Verify that your system is using Google Public NTP with timedatectl show-timesync | grep ServerName. If successfully configured, the output will show:
```
1
ServerName=time.google.com
```

Configure UFW

Check the status of ufw by running sudo ufw status.

To start off, deny all incoming traffic and allow all outgoing traffic:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow incoming SSH connections:

sudo ufw allow ssh

You can also allow other services and ports, such as in the following examples:

sudo ufw allow 80                   ## or sudo ufw allow http
sudo ufw allow https                ## or sudo ufw allow 443
sudo ufw allow 6000:6007/tcp        ## to allow port ranges (6000-6007)
sudo ufw allow from 203.0.113.4     ## to allow from a specific IP address
sudo ufw allow from 203.0.113.0/24  ## to allow from an entire subnet

sudo ufw allow 9001                 ## for Portainer install in a later section

Enable the ufw firewall and check the status to see currently configured rules:

sudo ufw enable
sudo ufw status verbose

Install `fail2ban`

fail2ban is a useful and customizable tool for clocking malicious password-challenge login attempts, but this setup does not properly restrict malicious key-based login attempts.

Install fail2ban using the apt package index:

sudo apt update
sudo apt install fail2ban

Verify that fail2ban is running:

sudo systemctl status fail2ban

Duplicate the fail2ban config files before editing them:

sudo cp /etc/fail2ban/fail2ban.{conf,local}
sudo cp /etc/fail2ban/jail.{conf,local}

Edit the local version of the fail2ban config…

sudo nano /etc/fail2ban/fail2ban.local

…and edit the following config items:

loglevel = INFO
logtarget = /var/log/fail2ban.log

Save and exit using Ctrl+X, Y, Enter.

Edit the local version of the jail config…

sudo nano /etc/fail2ban/jail.local

…and edit the following config items:

bantime = 10m
findtime = 10m
maxretry = 5
backend = systemd       # For Ubuntu 20.04+, use systemd

Save and exit using Ctrl+X, Y, Enter.

Restart the fail2ban service and check the status again:

sudo systemctl restart fail2ban
sudo systemctl status fail2ban

Check that a jail has been set up. (fail2ban should automatically create one for SSH.)

sudo fail2ban-client status
sudo fail2ban-client status sshd

Raspberry Pi Post-Installation Steps

POE+ HAT Fan Curve

Check your current fan config in /sys/class/thermal/:
```
1
cd /sys/class/thermal/ && ls
```
If there is only one device listed, such as cooling_device0, continue to the Step 3.

Otherwise, check the individual cooling devices to see which is the POE+ HAT fan:

cat cooling_device0/type
cat cooling_device1/type
# cat cooling_deviceX/type etc...

The cat response should be rpi-poe-fan or pwm-fan.
You can alternatively check which fan is running:

cat cooling_device0/cur_state
cat cooling_device1/cur_state 

The response of a running fan will be 1, 2, 3, or 4. A response of 0 is a fan that is not currently running.

Create a new udev rule…

sudo nano /etc/udev/rules.d/50-rpi-fan.rules

…and paste the following into the terminal:

SUBSYSTEM=="thermal"
KERNEL=="thermal_zone0"

# If the temp hits 65C, turn on the fan.
ATTR{trip_point_3_temp}="65000"
ATTR{trip_point_3_hyst}="5000"
# If the temp hits 70C, higher RPM.
ATTR{trip_point_2_temp}="70000"     
ATTR{trip_point_2_hyst}="2000"
# If the temp hits 75C, higher RPM.
ATTR{trip_point_1_temp}="75000"     
ATTR{trip_point_1_hyst}="2000"
# If the temp hits 80C, highest RPM.
ATTR{trip_point_0_temp}="80000"     
ATTR{trip_point_0_hyst}="5000"

Note that the ATTR{trip_point_X_temp}= value is the temperature (in Celsius, x1000) at which the fan speed increases. Also note that the trip point numbering is reversed, where 0 is the highest speed and 3 is the lowest.

Save and exit using Ctrl+X, Y, Enter.

Apply the new udev rule:

sudo udevadm control --reload-rules && sudo udevadm trigger

Docker Installation Steps

This section is specific to Ubuntu installations, adapted from Docker’s official documentation, here and here.

Update the apt package index and install the following packages to allow apt to use a repository over HTTPS:

sudo apt-get update
sudo apt-get install ca-certificates curl gnupg lsb-release

Add Docker’s official GPG key:

sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

Use the following command to set up the repository:

echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Update the apt package index and install the Docker Engine, containerd, and Docker Compose:

sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin

To manage Docker as a non-root user, create the docker group and add your user, then refresh the group to apply the changes:

sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker

Configure Docker to start on boot with systemd:

sudo systemctl enable docker.service
sudo systemctl enable containerd.service

Portainer Installation Steps

This section outlines using Portainer Agent to add a Docker standalone environment to an existing Portainer isntance. See Portainer’s documentation here for more info.

You will need:

The latest version of Docker installed and working. (see here)
sudo access on the machine you wish to install the Portainer Agent on.
Port 9001 accessible on this machine from the Portainer Server instance. (see here)

Run the following command to deploy the Portainer Agent:

docker run -d -p 9001:9001 --name portainer_agent --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/docker/volumes:/var/lib/docker/volumes portainer/agent:latest

Linux Post-Installation Steps

Passwordless SSH

PuTTY

MacOS

Disable Password Login

Updates

Additional Accounts, Sudoers, Disable Root

Add New User

Sudoers

Disable Root Login

Static IP Configuration

Fix LVM and Partitioning

Set / Change Hostname

Set Time Zone and NTP Server

Configure UFW

Install fail2ban

Raspberry Pi Post-Installation Steps

POE+ HAT Fan Curve

Docker Installation Steps

Portainer Installation Steps

Install `fail2ban`