xand

Debian and Ubuntu post-install tasks

Notes for myself on configuring various things on Debian GNU/Linux and Ubuntu Linux.

Proxy server - squid

On home machines set this to use local Squid caching proxy server for faster package downloads. Create /etc/apt/apt.conf containing:

Acquire::http::Proxy "http://parsnip.xand.uk:3128/";

Editor - vim

$ sudo apt-get install vim
$ sudo update-alternatives --set editor /usr/bin/vim.basic

Update /etc/vim/vimrc

Add/uncomment the following lines:

syntax on
set nu
colorscheme slate

if has("autocmd")
  au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif
endif

if has("autocmd")
  filetype plugin indent on
endif

Shell stuff

Update /etc/inputrc

Uncomment:

"\e[5~": history-search-backward
"\e[6~": history-search-forward

Adduser config

Update /etc/adduser.conf

Change these settings:

USERGROUPS=no
DIR_MODE=0700

NTP

$ sudo apt-get install ntp

Security

Firewall

A package is required to be installed in order to save firewall rules between reboots:

$ sudo apt-get install iptables-persistent

IPv4

Configured in /etc/iptables/rules.v4:

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

IPv6

Configured in /etc/iptables/rules.v6:

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

SSH

Fail2ban

This prevents ssh bruteforce attempts by firewalling IP addresses that repeatedly fail to authenticate.

$ sudo apt-get install fail2ban
© 2019 xand