Linux Server Hardening & Utility Guide#

timedatectl set-timezone America/Toronto

apt update && apt full-upgrade -y

echo -e '\n# Auto-Warpify\nprintf '\''\eP$f{"hook": "SourcedRcFileForWarp", "value": { "shell": "bash", "uname": "'$(uname)'" }}\x9c'\'' ' >> ~/.bashrc

apt install gdebi curl sudo gpg ethtool ngrep lshw lsscsi cifs-utils ncdu etherwake lshw sudo tasksel fail2ban openssh-server qemu-guest-agent unzip smbclient fio iperf3 nmap net-tools apt-transport-https software-properties-common wget duf tldr zip git eza snapd samba glances -y

apt install curl gpg sudo fail2ban apt-transport-https software-properties-common wget etherwake zip git -y 

/Volumes/Software/Software/Scripts/MacOS/ai_deploy_safety_on_all_servers.sh

# Change root password
sudo passwd root

# Create user 'marc' with NOPASSWD sudo
adduser --home /home/marc marc && usermod -aG sudo marc
echo "marc ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/marc

# Create user 'chr'
adduser --home /home/chr chr && usermod -aG sudo chr

nano ~/.ssh/authorized_keys

systemctl restart sshd

nano /etc/ssh/sshd_config

PermitRootLogin prohibit-password
#PermitRootLogin yes
PubkeyAuthentication yes

systemctl restart sshd

# Create system user
adduser --system --home /home/n8n --shell /bin/bash --group n8n

# Setup SSH Directory
mkdir -p /home/n8n/.ssh
chown -R n8n:n8n /home/n8n
chmod 700 /home/n8n/.ssh

# Add public key from n8n host (HP1GPU)
nano /home/n8n/.ssh/authorized_keys

# Paste key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6oOUXHpXQDKMiFGmjWqZNAg6rw00a33HkooILzyeim root@HP1GPU

# Finalize Permissions
chmod 600 /home/n8n/.ssh/authorized_keys
chown n8n:n8n /home/n8n/.ssh/authorized_keys

# Manual trim
fstrim -v /

# Enable weekly automation
systemctl enable --now fstrim.timer

# Verify schedule
systemctl list-timers fstrim.timer

# Identify drive
df -h

# Extend Logical Volume
lvextend -l +100%FREE /dev/mapper/ubuntu--vg-ubuntu--lv

# Resize Filesystem
resize2fs /dev/mapper/ubuntu--vg-ubuntu--lv

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
echo "[INCLUDES]
before = paths-debian.conf

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 YOUR_HOME_IP_HERE
bantime  = 1h
findtime  = 1h
maxretry = 5
backend  = systemd
banaction = ufw

[sshd]
enabled  = true
port     = ssh
maxretry = 3
findtime = 24h
bantime  = 8760h
filter   = sshd[mode=aggressive]" > /etc/fail2ban/jail.local

systemctl restart fail2ban

sudo ufw --force reset

sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow Trusted SSH
sudo ufw allow from 72.11.191.80 to any port 22 proto tcp
sudo ufw allow from 24.114.107.66 to any port 22 proto tcp
# Allow Web & WireGuard
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 51820/udp
sudo ufw enable

# Edit aliases
/root/.bashrc

apt install samba
smbpasswd -a marc

nano /etc/samba/smb.conf

[paperless]
   path = /mnt/paperless/media/documents/originals/
   browseable = yes
   read only = no
   guest ok = no
   valid users = "marc"
   force user = "marc"

sudo systemctl restart smbd

sudo adduser --system --shell /usr/sbin/nologin --no-create-home --group proxmox
sudo smbpasswd -a proxmox

sudo apt install rkhunter chkrootkit -y

# Run check
sudo rkhunter --check --sk

# Update baseline after clean scan
sudo rkhunter --propupd

apt-get install qemu-guest-agent
systemctl start qemu-guest-agent
systemctl enable qemu-guest-agent

curl [https://rclone.org/install.sh](https://rclone.org/install.sh) | sudo bash

# Configure remotes
rclone config