Ubuntu Configurations To Remember

1. install openssh server package.
Use ufw to configure firewall, allow in port 22 or service ssh (same thing). Many tip sheets exits: http://linuxpoison.blogspot.com/2008/05/ufw-uncomplicated-firewall-setup-and.html

(Firestarter can do same thing, but it is bigger & more complicated, serves other role as silly “personal firewall” program–if you want, you can run it as a sudo user and then it can allow in connections for that particular sudo user. This is an MS windows personal firewall.)

ssh server reads /etc/hosts.allow and /etc/hosts.deny. For defense against attackers who try to break in by randomly guessing passwords, install the “denyhosts” package, then edit the configuration file for denyhosts and change the HOSTS_DENY option like this:

/etc/denyhosts.conf

HOSTS_DENY = /etc/denyhosts.blocked

##################

Then type “touch /etc/denyhosts.blocked” to initiate the text file that lists your banned bad sites. You will be surprised when you check back and see people try to get in.

And then make the compatible changes in /etc/hosts.allow and /etc.hosts.deny

/etc/hosts.deny

ALL: ALL

##################
/etc/hosts.allow

portmap: 129.237.61
ALL: 127.0.0.1
sshd : /etc/denyhosts.blocked : deny
sshd: 129.237.61. 24.124.
sshdfwd-X11: 129.237.61. 24.124.
sshd: 66.45.
sshdfwd-X11: 66.45.

sshd: 192.168.
sshdfwd-X11: 192.168.

I’m paranoid, I’m blocking ssh connections from all ip addresses unless I know they are local or needed. I’ve found this is a great security measure against “script kiddies”. Then on top of that, if there is a “script kiddie” in the area I allow, denyhosts kills it.

There is another package called “fail2ban” that does the same thing, but it can protect a wider range of services against attacks. I’ve tried to configure that, but failed, and mean to go back to it.

2. In a publicly accessible machine, secure the BIOS and the boot-loader so users cannot gain root access. Here’s a detailed explanation.
http://ubuntuforums.org/showthread.php?t=715630

2. Install cron-apt, then in actions force installs without interaction. Look in /etc/cron-apt/actions for this file;

$ cat 3-download
### autoclean -y
##dist-upgrade -d -y -o APT::Get::Show-Upgraded=true
dist-upgrade -y
autoclean -y APT::Clean-Installed=off

3. add mlterm to terms that work with bashrc.

MLterm is my favorite terminal program. Ubuntu does not know about the TERM type mlterm, however. (type env, you’ll see what I mean).

add mlterm* in $TERM check so that full path shows in terminal titlebar.

Also, I don’t want those really long prompts:

IN PS1 settings, change \w to \W so only last directory shows in prompt.

These are aliases I keep at the end of bashrc. unison alias is needed because Ubuntu calls the executable unison-gtk, not unison as Fedora.

export CVS_RSH=ssh
alias lsl=’ls -la –color=yes’
alias l=’ls -FC’
alias ll=’ls -l’
alias rm=’rm -i’ # prompt before removing any file
alias cp=’cp -i’ # prompt before overwriting any file with cp
alias mv=’mv -i’ # prompt before overwriting any file with mv
alias unison=’unison-gtk -times’
alias rsync=’rsync -t’
alias ls=’ls –color=yes’

4. Remove the Applications Add/Remove item.

5. Fonts:

copy the font files to a custom directory in /usr/share/fonts or into user $HOME/.fonts

make a directory there and put your fonts in there, after that while still inside the directory do

sudo mkfontdir
sudo mkfontscale
sudo fc-cache -fv

See if the msttcorefonts package handles this properly :)
______________

6. TEMPTIME

set /etc/default/rcS
TMPTIME=14

fourteen days for files in tmp. Otherwise, they are all n uked at restart.

About pauljohn

Paul E. Johnson is a Professor of Political Science at the University of Kansas. He is an avid Linux User, an adequate system administrator and C programmer, and humility is one of his greatest strengths.
This entry was posted in Linux. Bookmark the permalink.