Jay's Tech Blog

Appearance

Basic setup on new linux box

Here is some command/scripts for setting up a new Linux box

Create User and setup public key

Using root account for everything on Linux is very dangerous, for example, it can overwrite firewall rule, view all the password, delete any files... The root account have the permission to do all the bad things.

To prevent that, we will usually create a separate account (and a separate user group) to eliminate the risk.

shell
# add new user appuser
adduser appuser

# add user into sudo group
usermod -aG sudo appuser

# assign /bin/bash as default shell on login
chsh -s /bin/bash appuser

And then we can su appuser and add our public key into appuser's pubkey to enable public-key ssh login instead of password login.

shell
# switch to user appuser
su appuser

# create private key, .ssh folder will be created
ssh-keygen -t rsa

# If you want to login into the new box from your local PC
# copy your local PC's public key under ~/.ssh/id_rsa.pub
# paste into new box's ~/.ssh/authorized_keys

Install Java and Node.js

And then we can try installing some basic software

shell
# install java
sudo apt install -y openjdk-17-jdk

# install nodejs via nvm
git clone https://github.com/cnpm/nvm.git ~/.nvm && cd ~/.nvm && git checkout `git describe --abbrev=0 --tags`
echo ". ~/.nvm/nvm.sh" >> ~/.bashrc
source /etc/profile
nvm install 18

Firewall setup with ufw

Normally we can use iptable or firewalld to configure firewall. But if you looking for something simpler, you may take a look at ufw , which stand for Uncomplicated Firewall .

For avoid locking your new box, please try reading through the documentation first before running below commands.

Some basic command

shell
# list status
$ sudo ufw status

# start service
$ sudo ufw enable

# default deny everything
$ sudo ufw default deny

# allow all ssh connect
$ sudo ufw allow ssh

# allow connection from localhost:3389
$ sudo ufw allow from 127.0.0.1 to any port 3389

# search status, prove above operation taking effect
$ sudo ufw status
Status: active

To            Action    From
--            ------    ----
22            ALLOW     Anywhere
3389          ALLOW     127.0.0.1

Advance usage

Rule syntax for allow and denial on port

shell
# Allow
sudo ufw allow <port>/<optional: protocol>
sudo ufw allow 53/tcp

# Deny
sudo ufw deny <port>/<optional: protocol>
sudo ufw deny 53/tcp

Advance Rule Syntax

shell
# Allow by Specific IP
sudo ufw allow from <ip address>

# Allow by specific port and IP address, <port number> mean local
sudo ufw allow from <target> to <destination> port <port number>

# Allow by specific port, IP address and protocol
sudo ufw allow from <target> to <destination> port <port number> proto <protocol name>

# example, allow IP address 192.168.0.4 access to port 22 using TCP
sudo ufw allow from 192.168.0.4 to any port 22 proto tcp

More examples:

shell
# allow connection from 192.168.1.2
$ sudo ufw allow from 192.168.1.2

# allow connections from 192.168.2.1 ~ 192.168.2.254 on port 22
$ sudo ufw allow from 192.168.2.1/24 to any port 22

# block connections from 110.88.4.5 on port 22
$ sudo ufw deny from 110.88.4.5 to any port 22

# block connections from 27.16.3.1 ~ 27.16.3.254
$ sudo ufw deny from 27.16.3.0/24

For more example, visit ufw

References

Copyright © 2021-2023 Jay LU
粤ICP备2021068888号-2