# TIMEZONEsudotimedatectlset-timezoneEurope/Rome# DISABLE AUTOMATIC UPDATESsudosed-i's/1";/0";/'/etc/apt/apt.conf.d/20auto-upgradessudosystemctldisableapt-daily{,-upgrade}.timersudosystemctlmaskapt-daily{,-upgrade}.service# If not using Ubuntu PRO:# Disable Ubuntu Pro ESM Hook and MOTD Spam - thanks to UnspamifyUbuntusudomv/etc/apt/apt.conf.d/20apt-esm-hook.conf/etc/apt/apt.conf.d/20apt-esm-hook.conf.disabledsudosed-Ezi.orig \-e's/(def _output_esm_service_status.outstream, have_esm_service, service_type.:\n)/\1 return\n/' \-e's/(def _output_esm_package_alert.*?\n.*?\n.:\n)/\1 return\n/' \/usr/lib/update-notifier/apt_check.pysudo/usr/lib/update-notifier/update-motd-updates-available--forcesudosed-i's/^ENABLED=.*/ENABLED=0/'/etc/default/motd-news# Change "root" user passwordsudopasswdroot
sudoapt-yinstallcloud-guest-utilsgdiskdf-hgrowpart/dev/sda3lsblksudoresize2fs/dev/sda3# or this for LVMsudolvextend-r-l+100%FREE/dev/mapper/ubuntu--vg-ubuntu--lvdf-h
Network
Static IP
Set a static IP in the netplan.yaml if not configured during OS installation.
# Show listening sockets and running servicessudoss-atpu# List available network interfaces and use the interface ens32ip-br-ca# Disable cloud-init networking configuration - if necessarysudonano/etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg# Make sure it is "disabled"# network: {config: disabled}# Open the netplan configuration file for editingsudonano/etc/netplan/00-installer-config.yaml# orsudonano/etc/netplan/50-cloud-init.yaml# This is the network config written by 'subiquity'network:version:2ethernets:ens32:addresses: [<IP>/24]gateway4:<GATEWAY_IP>nameservers:addresses: [1.1.1.1, 9.9.9.9]# Exit and save# Apply the netplan configuration changessudonetplanapply# Reboot the system
If necessary and the VM has 2 NICs, add the seccond one in the netplan.yaml
# List available network interfaces and check the second interface nameip-br-ca# Example of DHCP on both network interfacessudonano/etc/netplan/50-cloud-init.yamlnetwork:ethernets:enp0s3:dhcp4:trueenp0s8:dhcp4:trueversion:2
sudosuaptinstallcurl# Docker Engine - Convenience Scriptsh<(curl-sSLhttps://get.docker.com)# Docker ComposeLATEST=$(curl-sLhttps://api.github.com/repos/docker/compose/releases/latest|grep'"tag_name":'|cut-d'"'-f4)DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}mkdir-p $DOCKER_CONFIG/cli-pluginscurl -sSL https://github.com/docker/compose/releases/download/$LATEST/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose
chmod+x $DOCKER_CONFIG/cli-plugins/docker-composedockercomposeversion# Add a user to the "docker" group to let it run Dockersudogroupadddockersudogpasswd-a"${USER}"docker
Alternative to install Docker Engine (via APT)
# Install Docker Engine via APT repositoryfor pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done
sudoaptupdate-y&&sudoaptinstall-yca-certificatescurlgnupgsudosh-c' curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker.gpg sudo chmod a+r /usr/share/keyrings/docker.gpg echo "deb [arch="$(dpkg --print-architecture)" signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
'sudosystemctlenabledocker--nowsudogpasswd-a"${USER}"docker# On Debian and Ubuntu, the Docker service starts on boot by default, if not runsudosystemctlenabledocker.servicesudosystemctlenablecontainerd.service# Reboot and Testrebootdockerrunhello-world
Hardening
SSH-key-based authentication
Ubuntu Server with OpenSSH pre-installed comes with PasswordAuthentication yes parameter already set inside /etc/ssh/sshd_config.d/50-cloud-init.conf (or /etc/ssh/sshd_config). If the parameter is commented, the default is yes (password auth permitted) for the sshd_config.
Generate an SSH Key Pair on the local HOST from which the connection is established
# Local HOSTcdmkdir-p~/.sshcd~/.sshssh-keygen-ted25519# Type a secure passphrase when askedchmod700~/.sshchmod600~/.ssh/*# Add the SSH private key to the ssh-agenteval"$(ssh-agent-s)"&&ssh-add~/.ssh/id_ed25519
Add the Public Key to a system/sudo user on the Ubuntu Server VM
If you want to use the same key saved on Github profile, having already the private key in the Ubuntu Local HOST (commands above), ssh into the Ubuntu Server VM and use the following curl command
# Ubuntu Server VMcurl-shttps://github.com/<github-username>.keys>> $HOME/.ssh/authorized_keys# e.g.curl-shttps://github.com/syselement.keys>> $HOME/.ssh/authorized_keys
# Automatic (if password SSH is allowed)ssh-copy-id<sudo_user>@<remote_Server_IP>
# Manually# Local HOSTcat~/.ssh/id_ed25519.pub# copy the string# Should start with ssh-ed25519 AAAA... or ssh-rsa AAAA... (if rsa)# Ubuntu Server VMecho"pubkey_string">>~/.ssh/authorized_keys# Set permissionschmod-Rgo=~/.ssh
Log out and log in using the Private Key
ssh<sudo_user>@<remote_Server_IP># ssh -i ~/.ssh/id_ed25519 <sudo_user>@<remote_host_IP># Enter the key Passphrase if necessary
Disable SSH password authentication
# Delete sshd_config.d/50-cloud-init.confsudorm/etc/ssh/sshd_config.d/50-cloud-init.conf# Inside /etc/ssh/sshd_config set PasswordAuthentication to "no"sudosed-i"/^[^#]*PasswordAuthentication[[:space:]]yes/c\PasswordAuthentication no"/etc/ssh/sshd_config# Restart SSH servicesudosystemctlrestartssh
Try again to logout and login. Only SSH-key-base authentication is permitted.