Setting Up a Modern Linux Server: Best Practices
Introduction
Linux servers power a significant portion of the internet's infrastructure, from small websites to massive cloud platforms. Setting up a Linux server properly is crucial for ensuring security, performance, and reliability in production environments.
This guide covers best practices for configuring a modern Linux server, focusing on Ubuntu Server 24.04 LTS as an example distribution, though most principles apply to other distributions as well.
Initial Server Setup
System Updates
The first step after provisioning a new server is to update the system packages:
# Update package lists
sudo apt update
# Upgrade installed packages
sudo apt upgrade -y
# Optional: Install unattended-upgrades for automatic security updates
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure unattended-upgrades
User Management
Create a non-root user with sudo privileges for day-to-day administration:
# Create a new user
sudo adduser admin
# Add to sudo group
sudo usermod -aG sudo admin
# Switch to the new user
su - admin
SSH Configuration
Secure your SSH service to prevent unauthorized access:
# Edit SSH configuration
sudo nano /etc/ssh/sshd_config
Recommended SSH settings:
# Disable root login
PermitRootLogin no
# Use SSH key authentication only
PasswordAuthentication no
# Change default port (optional but helps reduce automated attacks)
Port 2222
# Limit SSH access to specific users
AllowUsers admin
# Implement timeout settings
ClientAliveInterval 300
ClientAliveCountMax 2
Restart SSH service after changes:
sudo systemctl restart sshd
System Hardening
Firewall Configuration
Set up a host firewall using UFW (Uncomplicated Firewall):
# Install UFW if not already installed
sudo apt install ufw -y
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (use your custom port if changed)
sudo ufw allow 2222/tcp
# Allow other necessary services (examples)
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
# Enable firewall
sudo ufw enable
Fail2Ban Setup
Implement Fail2Ban to protect against brute force attacks:
# Install Fail2Ban
sudo apt install fail2ban -y
# Create a local configuration file
sudo nano /etc/fail2ban/jail.local
Basic Fail2Ban configuration:
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Restart Fail2Ban:
sudo systemctl restart fail2ban
Performance Optimization
System Resource Monitoring
Install tools for monitoring system resources:
# Install basic monitoring tools
sudo apt install htop iotop glances -y
# Install Netdata for real-time performance monitoring
bash <(curl -Ss https://my-netdata.io/kickstart.sh)
Memory Management
Configure swap space for better memory management:
# Check if swap is enabled
swapon --show
# Create a swap file if none exists
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
# Make swap permanent
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
# Adjust swappiness for server workloads
echo 'vm.swappiness=10' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
File System Optimization
Journaling and TRIM
Enable TRIM for SSD optimization (if applicable):
# Check if TRIM is supported
sudo lsblk --discard
# Enable periodic TRIM
sudo systemctl enable fstrim.timer
sudo systemctl start fstrim.timer
File System Tuning
Create optimized mount options in /etc/fstab:
UUID=xxx / ext4 defaults,noatime,errors=remount-ro 0 1
Network Optimization
TCP Stack Tuning
Optimize the TCP stack for better network performance:
# Create a new configuration file
sudo nano /etc/sysctl.d/99-network-performance.conf
Add these optimizations:
# TCP Fast Open
net.ipv4.tcp_fastopen = 3
# Increase TCP window sizes
net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912
# Enable BBR congestion control
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
# Increase connection queue
net.core.somaxconn = 4096
Apply changes:
sudo sysctl -p /etc/sysctl.d/99-network-performance.conf
Security Monitoring
Implementing Auditd
Set up system auditing with auditd:
# Install auditd
sudo apt install auditd audispd-plugins -y
# Configure basic rules
sudo nano /etc/audit/rules.d/audit.rules
Example audit rules:
# Monitor changes to system authentication configuration
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k sudo_config
# Monitor system calls
-a exit,always -F arch=b64 -S execve -k exec
# Monitor administrative access
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k sudo_usage
Restart the audit service:
sudo systemctl restart auditd
Log Management
Configure centralized logging or log shipping:
# Install rsyslog if not already installed
sudo apt install rsyslog -y
# Configure remote logging
sudo nano /etc/rsyslog.conf
Add the following for remote logging:
*.* @logserver.example.com:514
Backup Strategy
Setting Up Automated Backups
Install and configure Restic for automated backups:
# Install Restic
sudo apt install restic -y
# Initialize a backup repository
restic init --repo /backup
# Create a backup script
sudo nano /usr/local/bin/backup.sh
Example backup script:
#!/bin/bash
export RESTIC_REPOSITORY="/backup"
export RESTIC_PASSWORD="your-password"
# Perform backup
restic backup /var/www /etc /home
# Maintain only the last 7 daily, 4 weekly and 3 monthly backups
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 3 --prune
Make it executable and create a cron job:
sudo chmod +x /usr/local/bin/backup.sh
echo "0 2 * * * root /usr/local/bin/backup.sh" | sudo tee -a /etc/crontab
Conclusion
Setting up a modern Linux server involves careful consideration of security, performance, and reliability. By following these best practices, you can create a robust server environment suitable for production workloads.
Remember that server management is an ongoing process. Regularly review system logs, install security updates, and periodically evaluate your server's configuration against evolving best practices.