KVM / VMware / Standalone Ubuntu LTS / 12.04 / 12.10 Server Preparation

Assumptions:

This assumes you have installed a fresh Ubuntu Server with OpenSSH Server.

Setup Networking

Add DNS Servers

Add Static IPV4 (eth0)
Edit: /etc/network/interfaces
Replace the ip, gateway and netmask values with your information.

Reboot
To ensure error free network operation, reboot

Prepare the node

Prefer IPV4 over IPV6
Bugfix: prevents issues with apt-get lagging, and ipv6 taking precedence over ipv4

Add the multiverse repositories

Update the package list

Remove useless packages from the system to create a minimal install

Upgrade

Install Utilities

Required to build applications from source

Kernel

Optimize Kernel

Tuning Sysctl Paramaters

Secure the Kernel

Harden network via sysctl

Prevent IP Spoofing
/etc/host.conf

Secure shared memory

Tuning Sysctl Paramaters

Increase hard and soft ulimit

Bug Fix: Too many open files
Tuning Sysctl Paramaters

Configure DenyHosts

not required if installing ConfigServer Firewall
Replace root@localhost with your email address

apply the config

Optional: Enable ZRAM ( Virtual Swap Compressed in RAM )

Will give an extra 50% RAM.. Usually KVM vps’s are ram limited and have enough cpu power to cope with the increased overhead of zram.
You will have 768MB available memory on a 512MB vps.
Install

Optional: Install ConfigServer Firewall

A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.
Note: This will require additional iptable and ip6table modules to be enabled on the proxmox host.
Please see this guide to enable them.
CSF Readme

Remove conflicting solutions

Install Perl packages

Download CSF and Install

Test CSF

Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK

RESULT: csf should function on this server

Optional: Disable IPv6

enable successful SSHD login tracking

Disable Testing Mode

Restart CSF
Note: CSF will be running in testing mode.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *