# TIMEZONEsudotimedatectlset-timezoneEurope/Rome# DISABLE AUTOMATIC UPDATESsudosed-i's/1";/0";/'/etc/apt/apt.conf.d/20auto-upgradessudosystemctldisableapt-daily{,-upgrade}.timersudosystemctlmaskapt-daily{,-upgrade}.service# If not using Ubuntu PRO:# Disable Ubuntu Pro ESM Hook and MOTD Spam - thanks to UnspamifyUbuntusudomv/etc/apt/apt.conf.d/20apt-esm-hook.conf/etc/apt/apt.conf.d/20apt-esm-hook.conf.disabledsudosed-Ezi.orig \-e's/(def _output_esm_service_status.outstream, have_esm_service, service_type.:\n)/\1 return\n/' \-e's/(def _output_esm_package_alert.*?\n.*?\n.:\n)/\1 return\n/' \/usr/lib/update-notifier/apt_check.pysudo/usr/lib/update-notifier/update-motd-updates-available--forcesudosed-i's/^ENABLED=.*/ENABLED=0/'/etc/default/motd-news# Change "root" user passwordsudopasswdroot
sudoapt-yinstallcloud-guest-utilsgdiskdf-hgrowpart/dev/sda3lsblksudoresize2fs/dev/sda3# or this for LVMsudolvextend-r-l+100%FREE/dev/mapper/ubuntu--vg-ubuntu--lvdf-h
Network
Static IP
Set a static IP in the netplan.yaml if not configured during OS installation.
# Show listening sockets and running servicessudoss-atpu# List available network interfaces and use the interface ens32ip-br-ca# Disable cloud-init networking configuration - if necessarysudonano/etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg# Make sure it is "disabled"# network: {config: disabled}# Open the netplan configuration file for editingsudonano/etc/netplan/00-installer-config.yaml# orsudonano/etc/netplan/50-cloud-init.yaml# This is the network config written by 'subiquity'network:version:2ethernets:ens32:addresses: [<IP>/24]gateway4:<GATEWAY_IP>nameservers:addresses: [1.1.1.1, 9.9.9.9]# Exit and save# Apply the netplan configuration changessudonetplanapply# Reboot the system
If necessary and the VM has 2 NICs, add the seccond one in the netplan.yaml
# List available network interfaces and check the second interface nameip-br-ca# Example of DHCP on both network interfacessudonano/etc/netplan/50-cloud-init.yamlnetwork:ethernets:enp0s3:dhcp4:trueenp0s8:dhcp4:trueversion:2
sudosuaptinstallcurl# Docker Engine - Convenience Scriptsh<(curl-sSLhttps://get.docker.com)# Docker ComposeLATEST=$(curl-sLhttps://api.github.com/repos/docker/compose/releases/latest|grep '"tag_name":' |cut-d'"' -f4)DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}mkdir-p $DOCKER_CONFIG/cli-pluginscurl -sSL https://github.com/docker/compose/releases/download/$LATEST/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose
chmod+x $DOCKER_CONFIG/cli-plugins/docker-composedockercomposeversion# Add a user to the "docker" group to let it run Dockersudogroupadddockersudogpasswd-a"${USER}"docker
Alternative to install Docker Engine (via APT)
# Install Docker Engine via APT repositoryfor pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done
sudoaptupdate-y&&sudoaptinstall-yca-certificatescurlgnupgsudosh-c' curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker.gpg sudo chmod a+r /usr/share/keyrings/docker.gpg echo "deb [arch="$(dpkg --print-architecture)" signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
'sudosystemctlenabledocker--nowsudogpasswd-a"${USER}"docker# On Debian and Ubuntu, the Docker service starts on boot by default, if not runsudosystemctlenabledocker.servicesudosystemctlenablecontainerd.service# Reboot and Testrebootdockerrunhello-world
Hardening
SSH-key-based authentication
Ubuntu Server with OpenSSH pre-installed comes with PasswordAuthentication yes parameter already set inside /etc/ssh/sshd_config.d/50-cloud-init.conf (or /etc/ssh/sshd_config). If the parameter is commented, the default is yes (password auth permitted) for the sshd_config.
Generate an SSH Key Pair on the local HOST from which the connection is established
# Local HOSTcdmkdir-p~/.sshcd~/.sshssh-keygen-ted25519# Type a secure passphrase when askedchmod700~/.sshchmod600~/.ssh/*# Add the SSH private key to the ssh-agenteval"$(ssh-agent-s)"&&ssh-add~/.ssh/id_ed25519
Add the Public Key to a system/sudo user on the Ubuntu Server VM
# Automatic (if password SSH is allowed)ssh-copy-id<sudo_user>@<remote_Server_IP>
# Manually# Local HOSTcat~/.ssh/id_ed25519.pub# copy the string# Should start with ssh-ed25519 AAAA... or ssh-rsa AAAA... (if rsa)# Ubuntu Server VMecho"pubkey_string">>~/.ssh/authorized_keys# Set permissionschmod-Rgo=~/.ssh
Log out and log in using the Private Key
ssh<sudo_user>@<remote_Server_IP># ssh -i ~/.ssh/id_ed25519 <sudo_user>@<remote_host_IP># Enter the key Passphrase
Disable SSH password authentication
# Delete sshd_config.d/50-cloud-init.confsudorm/etc/ssh/sshd_config.d/50-cloud-init.conf# Inside /etc/ssh/sshd_config set PasswordAuthentication to "no"sudosed-i"/^[^#]*PasswordAuthentication[[:space:]]yes/c\PasswordAuthentication no"/etc/ssh/sshd_config# Restart SSH servicesudosystemctlrestartssh
Try again to logout and login. Only SSH-key-base authentication is permitted.