• high-reliability servers (firewall, DHCP, web, etc)
  • 4 drives: RAID 1 (* 2), hot spare * 1, cold spare * 1
• computational servers
  • RAID 10, hot spare * 1 or 2

• Ubuntu 20.04 LTS 64-bit Server Edition.

# update the package index
$ sudo apt update
# upgrade packages
$ sudo apt upgrade
 
# install specific new packages
# Zero Configuration Networking (Zeroconf)
$ sudo apt install avahi-daemon
# in case the avahi-daemon does not work after reboot, log-in using ip address and restart
$ sudo service avahi-daemon restart
 
 
# remove all unused packages
$ sudo apt autoremove
 
# remove specific packages; for example, those in /boot
$ sudo apt remove linux-image-2.6.32-23-server
$ sudo apt remove linux-image-3.2.0-32-generic

• edit /etc/netplan/50-cloud-init.yaml to configure the network
  • use space for indentation, NOT tab.
  • or delete the original *.yaml file generated by the installer, then create a new xxx.yaml in /etc/netplan
• example: eno1 uses DHCP; eno2 uses a static IP

network:
  version: 2
  renderer: networkd
  ethernets:
    eno1:
      addresses: []
      dhcp4: true
    eno2:
      addresses: [140.109.56.170/24]
      gateway4: 140.109.56.254
      nameservers:
        addresses: [140.109.1.10,8.8.8.8,8.8.4.4]
      dhcp4: no

• more examples: https://netplan.io/examples/
• after updating the config file, execute sudo netplan try to validate, then sudo netplan apply to apply
• to check the network info: ip a

• note: for Ubuntu 16.04 and earlier versions; edit /etc/network/interfaces

# check setting
$ timedatectl
# list available timezones
$ timedatectl list-timezones
# set time zone (select from the list above)
$ sudo timedatectl set-timezone Asia/Taipei
# verify
$ date

• see SSH security
• minimal requirement: sudo apt install fail2ban
• /etc/ssh/sshd_config
  • PermitRootLogin no.
  • Limit ssh connection to ipv4 and disable ipv6
    • Uncomment ListenAddress 0.0.0.0
    • Comment #ListenAddress ::
    • This setting allows the server to listen to ipv4 only, so normal connections not denied because clients use ipv6 and are rejected based on the rules in /etc/hosts.allow and /etc/hosts.deny.

# disable unnecessary messages
$ sudo chmod a-x /etc/update-motd.d/10-help-text 
$ sudo chmod a-x /etc/update-motd.d/50-motd-news 

• The default setting in Ubuntu allows world read/execute permissions to the user home directory. To protect data privacy, edit the file /etc/adduser.conf and modify the DIR_MODE variable to:

DIR_MODE=0750

To add new users:

$ sudo adduser username

The default profile is based on the contents in /etc/skel/

$ sudo addgroup groupname

$ sudo adduser username groupname

$ sudo deluser username groupname

$ sudo usermod -l new_username old_username
$ sudo usermod -d /home/new_username -m new_username

To provide an user with administrator privileges (e.g., use sudo):

• add the user to the adm and sudo group

$ sudo passwd username

$ sudo deluser username
$ sudo delgroup groupname

Run the shell script make_work_dir, which had written by Dr. Kuo.

$ sudo /home/chkuo/bin/make_work_dir username

• /etc/security/limits.conf

# example of setting default priority
@users      -       priority        5
username    -       priority        10

Use hdparm (need to use sudo), for example:

$ sudo hdparm -tT /dev/sda
 
/dev/sda:
 Timing cached reads:   14352 MB in  2.00 seconds = 7182.41 MB/sec
 Timing buffered disk reads:  1660 MB in  3.00 seconds = 553.13 MB/sec