= What to install in a new Ubuntu Server =

== Updates ==

 1. {{{apt update && apt upgrade -y}}}
 1. Install package to get regular security updates {{{apt install unattended-upgrades -y}}}, then check if upgrades are configured properly at: {{{/etc/apt/apt.conf.d/20auto-upgrades }}} Both update-Package-Lists and Unattended-Upgrade should be "1".

== Add Admin User that is not root ==

 1. {{{adduser [name]}}} ...
 1. {{{usermod -aG sudo [name]}}}
 1. Test the new user before you proceed. You should be able to login and sudo su to root from [name]. 

== SSH ==

 1. Back a backup of your original config. {{{cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak}}}. 
 1. Change {{{PermitRootLogin no}}} in /etc/ssh/sshd_config
 1. {{{systemctl restart ssh}}}
 1. Make sure that the service is enabled: {{{systemctl enable ssh}}}
 1. Test this, you should no longer be able to ssh login as root. If there are errors, you can run sshd -t to see errors. 


== UFW Firewall ==

 1. Allow ssh {{{ufw allow ssh}}}
 1. Allow http {{{ufw allow 80/tcp}}}
 1. Allow https {{{ufw allow 443/tcp}}}
 
Enable the firewall: {{{ufw enable}}}

Check status: {{{ufw status verbose}}}

== Install Fail2Ban ==

 1. {{{apt install fail2ban}}} 

Configure /etc/fail2ban/jail.conf and add to [ssh] section the following (note the first one found is commented out, so look for the one that is not commented out.).

{{{
[ssh]
enabled = true
maxretry = 3
findtime = 10
bantime = 4h
}}}

Restart and enable service:

{{{
# systemctl restart fail2ban
# systemctl enable fail2ban
# systemctl status fail2ban
}}}

== Setup SSH Login via certificate only ==

First, let's copy your public key to the server.

{{{
ssh-copy-id -i [identity_file] username@ip
}}}

Next, we need to edit /etc/ssh/sshd_config

{{{
PasswordAuthentication no
PubkeyAuthentication yes
}}}

Now you can only login via a public key login. 

== Caddy (Optional) ==

Installation is easy in Ubuntu 24.04 and the like:

{{{
apt install caddy
}}}

Now, just follow the documentation on the [[https://caddyserver.com/docs/|caddy website]]

Finally, check to see if caddy will start by default by typing {{{systemctl status caddy}}}

== Docker CE (Optional) ==

Go straight to the source for this: https://docs.docker.com/engine/install/ubuntu/

Interestingly, docker-compose didn't get installed following these instructions. That's ok, a one-liner got it:

{{{
apt install docker-compose
}}}