Tech in T: depth + breadth‎ > ‎OS‎ > ‎Linux‎ > ‎Users Groups‎ > ‎

New Instance

New linux deployment:
Set timezone
$ dpkg-reconfigure tzdata
$ date # to verify correct time/time zone
Set hostname
$ echo "hp1" > /etc/hostname
$ hostname -F /etc/hostname
If it exists, edit the file /etc/default/dhcpcd to comment out the SET_HOSTNAME directive:

/etc/hosts is the local DNS of a machine, it tell for a given domain what ip should be used. edit your /etc/hosts file to resemble the following example, replacing hostname with your chosen hostname, with your system’s domain name, and with your system’s IP address. localhost hp1
this allows you to legitimately test your site full-fledged without actually taking the domain name live!
$ ping  # to make sure it is giving you the correct ip address (this machine)    :)

disable root and disable password
$ sudo vim /etc/ssh/sshd_config
PasswordAuthentication no
PermitRootLogin no
$ sudo service ssh restart

Setup firewall
$ sudo iptables -L
$ sudo vim /etc/iptables.firewall.rules   # create a file to store rules

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT

#  Accept all established inbound connections

#  Allow all outbound traffic - you can modify this to only allow certain traffic

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy


allow traffic to the following services and ports: HTTP (80), HTTPS (443), SSH (22), and ping. All other ports will be blocked.
If you plan on using the Linode Longview service, add these additional lines above the # Drop all other inbound section:
#  Allow incoming Longview connections

# Allow metrics to be provided Longview

$ sudo iptables-restore < /etc/iptables.firewall.rules
$ sudo iptables -L  # double check

Now you need to ensure that the firewall rules are activated every time you restart your linux
$ sudo vim /etc/network/if-pre-up.d/firewall     # create file
/sbin/iptables-restore < /etc/iptables.firewall.rules

$ sudo chmod +x /etc/network/if-pre-up.d/firewall

fail2ban to prevent dictionary bruteforce attacks:
$ sudo apt-get install fail2ban
 edit if you want other than default options like bantime, maxretry and etc $ sudo vim /etc/fail2ban/jail.local       # overrides default settings

$ apt-get update
$ apt-get upgrade --show-upgraded

$ git clone
$ cd cheatsheet
$ ./setup

Software packages

Download/add to path:
$ sudo apt-get install htop
$ sudo apt-get install mysql-server
$ mysql -u root -p   //will prompt for password
mysql> show databases;
mysql> CREATE DATABASE hp_db CHARACTER SET utf8 COLLATE utf8_general_ci;
mysql> SELECT default_character_set_name FROM information_schema.SCHEMATA S  WHERE schema_name = "hp_db";
mysql> USE hp_db;
mysql> CREATE USER 'testuser'@'localhost' IDENTIFIED BY 'test123test!';
mysql> SELECT User,Host FROM mysql.user;                                      to view all users
mysql> GRANT ALL ON my_db.* TO 'michael'@'localhost';
ONE LINER GRANT ALL ON my_db.* TO 'my_user'@localhost IDENTIFIED BY 'my_pass';
mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON my_db.* TO 'michael'@'localhost';         good to run wordpress/joomla but not to install as it can not create table
mysql> FLUSH PRIVILEGES;                              just in case
mysql> SHOW GRANTS FOR 'testuser'@'localhost';