Ubuntu16.

04XenialXerusserver
advancedinstallation
1. Hardwareusedinthecourse
a. IntelorAMDCPUwith64bitcapability
b. Memory:atleast1GB
c. Harddisk:5x420GB
d. Ethernet:1togetinternetaccess(vmnet6?)
i.
192.168.210.10/24
ii.
gateway192.168.210.2
iii.
DNS192.168.210.2
2. Howmanydiskstouse?
a. Theabsoluteminimumistwo.Youneedsomedataredundancytoprotectyourdataandserver(keep
itrunningincaseofadiskfailure).
b. ForRAID6,youllneed4ormoredisks.
c. UsesoftwareRAID.LinuxhasanadvancedandreliablesoftwareRAID.Youwontgetmorefroman
expensivehardwareRAIDcontroller.
d. WithsoftwareRAID
i.
youarentstuckwithaspecifichardware(incaseofahardwareRAIDcontrollerfailure,you
havetofindasimilaronewhilesoftwareRAIDwillworkwithanyhardware)
ii.
smallCPUimpact,modernprocessorscanhandleiteasily
iii.
theoperatingsystemknowswhenthedataisreallywrittentodisks
iv.
theoperatingsystemcanhandlethediskfailures
v.
moreflexibility
1. youcanusepartitionsinaRAIDarray,soyoucancombinedifferentRAIDtypeswith
thesamedisks(eg.useRAID1forthesystemandRAID6fordata)
3. WhichRAIDtypetouse?
a. RAID1:minimum2disks
i.
3recommendedtohaveahotspare
ii.
addmoreforhigherredundancy
iii.
youllgetthecapacityofthesmallestdisk(youcanusedifferentsizesbutnotrecommended)
b. RAID5:minimum3disks
i.
4recommendedtohaveahotspare
ii.
addmoreforhighercapacity
iii.
Usesamesizeddisks!
iv.
Youllgetthecapacityofn1disks(eg.2diskscapacitywhenyouhave3).
c. RAID6:minimum4disks
i.
5recommendedtohaveahotspare
ii.
addmoreforhighercapacity
iii.
Usesamesizeddisks!
iv.
Youllgetthecapacityofn2disks(eg.2diskscapacitywhenyouhave4).
d. RAID10:minimum4disks
i.
6recommendedtohaveahotspareateachRAID1member
ii.
addmoreforhighercapacityand/orhigherredundancy(basedonconfiguration)
iii.
Usesamesizeddisks!
iv.
Theoverallcapacityisabittricky.
4. Whicharchitecturetouse?
a. Usethe64bitserverinstaller!Usethethe32bitversiononlyIfyouhavealegacyhardwarethat
doesntsupport64bit.Thismeans10ormoreyearsoldmachines.
5. Wheretogettheinstaller?
a. Beforetheofficialrelease,youcanfindthelatestbetainstallerhere:
i.
http://cdimage.ubuntu.com/ubuntuserver/daily/current/

1. Downloadthexenialserveramd64.iso
b. IfUbuntuXenialXerusreleased,youllfindtheinstallerhere:
i.
http://www.ubuntu.com/download/server
1. ChoseLTS,thelongtermsupportedversionforaserver!
a. Itgetsupdatesfor5yearsstartingfromthereleasedate.
b. Thismeans2021incaseofXenialXerus.
2. ClickonDownload!
6. Howtoboot?
a. CreateaCDorDVDoranUSBstickusingtheimageyouvedownloaded!
i.
ForCD/DVD:useanyburningsoftware!
ii.
ForUSB
1. Useablankstickorbackupyourdata,youwilleraseit.
2. LinuxandMac
a. insertthestickintoyourcomputer
b. findoutthedevicename(usethediskutility)
i.
inLinuxitwillbecome/dev/sdXwhereXisb,c,d,etc.
ii.
inMacitwillbecome/dev/diskXwhereXis1,2,3,etc.
iii.
Beawarethatselectingthewrongdiskcandestroyalldataonyour
computer!Triplecheckit!
c. startaterminal
d. gotothedirectoryyouusedtosavetheinstaller(eg.Downloads)
e. issuethefollowingcommand:
i.
sudoddif=xenialserveramd64.isoof=DISK
1. replaceDISKwiththedevicenameofyourstick(eg./dev/sdcor
/dev/disk3)
2. donotusepartitionnumbers(bad:/dev/sdc1or/dev/disk3p1,
good:/dev/sdcor/dev/disk3)
3. Windows
a. UseaLinuxorMacplease:)
b. Therearesomegoodsoftwarethatcanwriteanimagedirectlytoadisk,
googleit.
c. Donotusebootdiskcreators,theywillcreateanunbootablestickwithEFI
(mayworkinlegacymode)
b. EFI
i.
YoudontgettheusualUbuntubootscreenifyouuse(U)EFIboot,butasimplifiedbootmenu.
ii.
Youhavetochangethebootcommandlinetodoanexpertinstall:
1. Press
E

a. Editthelinebeginningwithlinux
b. Addthefollowingtotheendofthelineafter:
priority=low
c. Press
CTRLx
c. Legacy(BIOS)
i.
Select
English
asyourlanguage!
ii.
Press
F6
andpressenteron
Expertmode

iii.
Press
ESC
iv.
Pressenteron
InstallUbuntuServer

d. Allmodernhardwaresupports(U)EFI,usethat!
i.
YouhavenoreasontouselegacymodeonaserverwithonlyUbuntuasanoperatingsystem.
7. Installation
a. Chooselanguage
i.
Language:
English
(useEnglishtofollowthiscourse)
ii.
Country:
UnitedKingdom
(usetherightoneforyourlocation)
iii.
Countrytobasedefaultlocalesettingson:
UnitedKingdom
(usetheonematchesyours)
iv.
Additionallocales:
adden_US.UTF8anden_GB.UTF8
tobeonthesafeside
1. Ifyourbaselocaleisoneofthesetwo,onlyaddtheother(thebasewontappearhere)

b.

c.

d.
e.

f.
g.

h.

i.

2. Feelfreetoaddanyotherlocalesyouneedtosupport!Addingmorewonthurt.
3. Useunicode(UTF8),youwontneedanythingelsenormally
v.
Systemlocale:
en_GB.UTF8
(useanEnglishonetofollowthiscourse!)
1. Note:usinganythingelsethanEnglishasasystemlocalecancauseunwantedside
effectslater.
Configurethekeyboard
i.
Detectkeyboardlayout?
No
ii.
Countryoforiginforthekeyboard:
English(UK)
(chooseaccordingtoyourkeyboard,
choosinganythingelsewonthurt)
iii.
Keyboardlayout:
English(UK)
(chooselikebefore)
DetectandmountCDROM
i.
Modulestoload
1. youneedtheusbstorageifyouuseausbstick,youcanleaveinenabledanyway
Loaddebconfpreconfigurationfile
LoadinstallercomponentsfromCD
i.
Enablethefollowingmodules
1. networkconsole
a. youcanusethistoinstallfromaremotelocationwithoutremoteconsolein
yourhardware:youwillbeabletoaccesstheinstallationsystemusingSSH
b. TIP:asksomeonetoboottheinstalleranddotheeasystepsabove,startthe
networkconsoleandgivetheaccessinformationforyou
2. parted
a. ifyouwanttodosomethingmorecomplicatedtheinstallerdoesntoffer
Detectnetworkhardware
Configurethenetwork
i.
Autoconfigurenetworking?
No
1. DontuseDHCP,itsaserver!Giveitafix,configuredIPaddress!
ii.
IPaddress:
10.0.2.10/24
1. Setittomatchyournetwork!
iii.
Gateway:
10.0.2.1
1. Useyourroutersaddress!
iv.
Nameserveraddresses:
10.0.2.1
1. UseyourDNSservers!
v.
Waitingtime(inseconds)forlinkdetection:3
vi.
Hostname:
caladan
1. Useauniquenameforyourserver!
vii.
Domainname:
linuxexpert.com
1. Useyourdomainnameinyournetwork!
Fromnowon,youcanchoosetocontinuetheinstallationremotelyusingSSH
i.
Whateveryouchoose:youwillusethismenutodoit,nodifference
ii.
IfyoudontwanttouseSSH,justskiptothestepSetupusersandpasswords
iii.
Ishowyouhowtoenableremoteinstallationandhowtouseit
ContinueinstallationremotelyusingSSH
i.
Thisoptionisonlyavailableifyouloadednetworkconsoleatstep7.e.
ii.
Remoteinstallationpassword:
forgotten
1. Useasecurepassword!
2. Thisisfortheremoteinstallationonly,youwillbeabletosettheadminpasswordlater.
iii.
StartSSH
1. Youcannowaccesstheinstallerattheconfiguredaddress(10.0.2.10inmycase)on
port22.
2. Username:installer
3. Password:configuredabove
4. NotethefingerprintoftheSSHserver!

a. Whenyouconnect,yoursshclientshoulddisplayasimilarcode.Compare!
Refusetoconnectincaseofmismatch(itmeansamaninthemiddleattack).
b. ThepurposeofthistoavoidaMitMattack
5. sshtotheservernow!
a. sshinstaller@10.0.2.10
b. Networkconsoleoption:
Startinstaller(expertmode)
6. DONOTpresscontinueonthephysicalconsole!
7. DONOTdoublesshtoit!
8. Nowyoucancontinueasnormal.
j. Setupusersandpasswords
i.
Enableshadowpasswords?
Yes
ii.
Allowloginasroot?
No
iii.
Fullnameforthenewuser:LinuxExpertAdmin
1. useanameyouwant
iv.
Usernameforyouraccount:
adminle
1. donotuseroot!
2. donotuseadministratorifyoueverwanttosetupanActiveDirectroyonthisserver!
a. oranynameyouwanttouseinAD
3. TIP:useyourinitialswithadmin(likeadminLinuxExpert=adminle)
v.
Chooseapasswordforthenewuser:
remembered
1. useasecurepassword!thiswillbeusedtoaccessyourserverfromconsoleand
remotely(ssh)
vi.
Encryptyourhomedirectory?
No
1. Thisisaserver,youwontstoreyourpersonaldatawiththisadminaccount,willyou?
k. Configuretheclock
i.
SettheclockusingNTP?
Yes
ii.
NTPservertouse:ntp.ubuntu.com
1. oryoucanusealocalNTPserverlikeuk.pool.ntp.org
iii.
Basedonyourpresentphysicallocation,yourtimezoneisEurope/London.
1. Isthistimezonecorrect?
Yes
a. Ifnot,youllbeabletoselectfromalist.
l. Detectdisks
m. Partitiondisks
i.
Partitioningmethod:
Manual
ii.
Ihavefive451GBdisks
1. ImgoingtouseRAID1(mirroring)forthesystemwith4activeand1sparedisks
a. maximumdataprotection,somysystemwillbootatleast
2. ImgoingtouseRAID6forthedatawith4activeand1sparedisks
a. moraspacefordata,ifsomethinggoeswrongIwillbeabletofixitasthe
systemrunsfromthemirroredpartitions
3. Imgoingtowilluselogicalvolumemanagertomanagemydisks
a. onevolumegroupforthesystemandanotherfordata
4. ImgoingtouseGPT
a. forgetthelegacy(MSDOS)mode,youwontneedthat
b. allmodernoperatingsystemsuseGPT(includingWindowsandMacOS)
c. for(U)EFI,youhavetouseGPT,forlegacy(BIOS)modedonthaveto,but
recommended(needssometrickypartitioning,however)
iii.
CreateaGPTpartitionschemeonalldisks!
1. Gotothefirstdisk,pressenteronit
a. eg:
SCSI2(0,0,0)(sda)451.0GBATAVBOXHARDDISK
b. Createnewemptypartitiontableonthisdevice?
Yes
c. Partitiontabletype:
gpt
i.
Forgetmsdostabletype,itwontworkwith(U)EFI.UsingGPTisfine.
d. YoullhaveaFREESPACEunderthedisk.

iv.

v.

2. Dothesamewithallremainingdisksyouwanttouse.
3.
Createthreepartitionsoneachdisk
1. GotothefirstdisksFREESPACE,pressenteronit!
2. Howtousethisfreespace:
Createanewpartition
3. Newpartitionsize:
540MB
a. thiswillbeusedtoboot(EFIstandard)yoursystem
b. withoutanEFIpartition,EFIcantboot
c. ifyouuselegacymode(BIOS)toboot,thismustbeadedicatedBIOSboot
area,requiredbygrubtobootfromaGPTpartitioneddisk
4. Locationforthenewpartition:
Beginning
5. Partitionsettings:
a. Name:
efi
b. Useas:
EFISystemPartition
c. Bootableflag:
on
d. Donesettingupthepartition
6. Youmayseea1.0MBFREESPACEaboveyourefisystempartition(ESP),thats
normal.Donotusethatspace.
7. Gotothenextlinewith450.4GBFREESPACEandpressenter!
8. Howtousethisfreespace:
Createanewpartition
9. Newpartitionsize:
50GB
a. Itusuallyenoughforyoursystem.Youllcreateanotherpartitionforyourdata.
10. Locationforthenewpartition:
Beginning
11. Partitionsettings:
a. Name:
left1straid12
i.
Chooseanameyoucanusetoidentifythephysicaldisk!
ii.
Youcanusearelevantpartoftheserial(TIP:uselshwinalivelinuxto
gettheserial)orthephysicallocationofthediskinyourserver.Thiswill
helpyoutofindthephysicaldiskwhenitfails.
iii.
Adduseageinfo(eg.raid1)andtherealpartitionnumber(2ndinmy
case,1stwastheEFIpartition).
b. Useas:
physicalvolumeforRAID
c. Bootableflag:
off
d. Donesettingupthepartition
12. Gotothenextlinewith400.4GBFREESPACEandpressenter!
13. Howtousethisfreespace:
Createanewpartition
14. Newpartitionsize:
99%
a. Donotuseyourentirediskspace.Diskshavedifferentsizes.Evendisksfrom
thesamemanufacturershave.ForRAID,youllneedexactlythesamesized
partitions.Later,whenyoullhavetoreplaceafaileddisk,youllbeableto
createapartitionatleastthissize.Ifthenewdisksissmallerjustafew
megabytes,youllbeintrouble.Toavoidthis,createasmallerpartitionnow.
15. Locationforthenewpartition:
Beginning
16. Partitionsettings:
a. Name:
left1straid63
i.
ThiswillbeusedasaRAID6member(foryourdata)
b. Useas:
physicalvolumeforRAID
c. Bootableflag:
off
d. Donesettingupthepartition
17. Youllseeasmall(4.0GBinmycase)FREESPACEasaresultofusing99%only.
Thisisfine.Youcanusethatspacefortemporarydataifyouwant,butdonotusefor
yourlivesystem.
Repeattheabovestepsonallthedisks.
1. Userelevantnamesforthepartitions!

vi.

vii.
viii.

ix.

a. eg:left2ndraid12forthesystemonthephysicaldiskatthe2ndslotfromleft
onyourserver,left2ndraid63forthedataonthesamedisk,andsoon.
b. Usenamesthathelpsyoutoidentifythedisk.
2. Createexactlysamesizedpartitions!
3. Theefipartitiondoesntmatter(youcannameitasefi,thatsfine).Youllneedoneefi
partitiononallthediskyouwanttobebootable.
ConfiguresoftwareRAID
1. WritethechangestothestoragedevicesandconfigureRAID?
Yes
2. CreateMDdevice
a. SoftwareRAIDdevicetype:
RAID1
b. NumberofactivedevicesfortheRAID1array:
4
i.
ForRAID1,2activedisksareenough.Wehave5diskstobeableto
useRAID6withasparedisk.HoweverforthesystemIsuggestusing
RAID1,becauseitseasiertorecover.Aswellusethefirstfourdisksas
activedisksinRAID6fordata,theresnoreasontouseanyofthemas
sparehere.
c. NumberofsparedevicesfortheRAID1array:
1
i.
Thisdiskwontbeusedatall.Youcanconfigureittospindown.
ii.
Thisdiskwillbeusedautomaticallywhenonediskfailsinthearray.
d. ActivedevicesfortheRAID1array:
i.
/dev/sda2
ii.
/dev/sdb2
iii.
/dev/sdc2
iv.
/dev/sdd2
e. SparedevicesfortheRAID1array:
i.
/dev/sde2
3. CreateMDdevice
a. SoftwareRAIDdevicetype:
RAID6
b. NumberofactivedevicesfortheRAID1array:
4
i.
thisistheabsoluteminimum
ii.
youcanaddmoretohavemorespace(youllneedmorephysicaldisks
ofcourse,creatinganarraywithinonediskissimplystupidandwill
resultintroubleandlowiospeed)
c. NumberofsparedevicesfortheRAID1array:
1
d. ActivedevicesfortheRAID6array:
i.
/dev/sda3
ii.
/dev/sdb3
iii.
/dev/sdc3
iv.
/dev/sdd3
e. SparedevicesfortheRAID6array:
i.
/dev/sde3
4. Finish
IhaveadedicatedcoursetoLinuxsoftwareRAIDandwillbereleasedsoon.Fromthatcourse
youlllearnthecommandlinemanagementofsoftwareRAID.
Now,youhavetwomoredisks:
1. RAID1device#050.0GBSoftwareRAIDdevice
a. thisonehas50GBspace
2. RAID6device#1792.6GBSoftwareRAIDdevice
a. thisonehas792.6GBspace:(42)x396.4GB(4active2forparity)
b. ifyouhave5activedisks,thatwillresultin(52)xsize(5active2forparity)
c. youcanlose2diskswithoutlosingdata,regardlessofthenumberofactive
disks
GotothelineunderRAID1device#050.0GBSoftwareRAIDdevice(#150.0GB)and
pressenter!

x.

xi.

1. Partitionsettings:
a. Useas:
physicalvolumeforLVM
i.
YoulluseLogicalVolumeManager(LVM)tocreatededicatedvolumes
inthefilesystem.Thiswillendupinaneasytomanageandmore
securesystem.Thismeansmoretodonow,butlateryoullbehappy
youvedoneit.
b. Donesettingupthepartition
GotothelineunderRAID6device#1792.6GBSoftwareRAIDdevice(#1792.6GB)and
pressenter!
1. Partitionsettings:
a. Useas:
physicalvolumeforLVM
i.
YoulluseLogicalVolumeManager(LVM)tocreatededicatedvolumes
inthefilesystem.Thiswillendupinaneasytomanageandmore
securesystem.Thismeansmoretodonow,butlateryoullbehappy
youvedoneit.
b. Donesettingupthepartition
Createlogicalvolumes!
1. Logicalvolumeswillbeusedtocreatefilesystemandmountit.
a. Logicalvolumescanberesizedanytime.Youcanexpandavolumewithout
downtime.
b. Logicalvolumescanbemovedbetweenphysicalvolumeswithinthesame
volumegroup:youcaneasilymovedatatonewdiskswithverylittleorno
downtime.
c. IhaveadedicatedcoursetoLVM,whichwillbereleasedsoon.Inthatcourse
youlllearnthebasicsofLVMincludingvolumemanagement.
2. GotoConfiguretheLogicalVolumeManagerandpressenter!
a. WritethechangestodisksandconfigureLVM?
Yes
b. Createvolumegroup
i.
Volumegroupname:
vgcaladan_system
1. Volumegroupsarecontainersofphysicalvolumeslikedisk
partitionsorRAIDdevices.YoulllearnmoreaboutitinmyLVM
course.
2. Allvolumesgroupsmusthaveauniquename.
3. Startthenamewith
vg
toreflectthatitsavolumegroup.Itll
makeyoueasiertofindyourvolumegroupsinthesystem.
4. Tohaveauniquename,addyoursystemsuniquenametoit.In
mycaseits
caladan
.Itsnotjustunique,butyoullalwaysknow
wherethisvolumegroupbelongsto.
5. Ifyouregoingtohavemorevolumegroupslikeme,addthe
purposeofthegrouptothename.Iusedtoseparateitfromthe
systemnamewithunderscore(_)tomakeithumanreadable.I
dontrecommendtousedash()asitisusedtoseparate
volumegroupsnamefromvolumenamesinthesystemandwill
endupindoubledashes()inthenames,whichmakesit
strangeandugly.Thiswillbethevolumegroupforthesystem,
soIadd
_system
.
ii.
Devicesforthenewvolumegroup:
1. /dev/md0
2. Theoreticallyyoucanusemoredevices,butthatsamore
complicatedsetupandtheinstallercanthandleitasitshould.
YoulllearnaboutitintheLVMcourse.
c. Createvolumegroup
i.
Volumegroupname:
vgcaladan_data
1. ThiswillbethegroupforyourdatausingtheRAID6array.

ii.

Devicesforthenewvolumegroup:
1. /dev/md1
d. Youhavetocreatelogicalvolumestouseasablockdeviceforfilesystems.
i.
Itisagoodideatohavededicatedvolumestoallyourservicesplusfor
somemissioncriticalpathslikevar,log,soolandtoseparateothersto
keepyourserverupandrunningwhensomeserviceoruserfillsupthe
filesystem.
ii.
Asarecommendedminimum,Iusethefollowingvolumes:
1. root:systemroot,required,mountedas/
2. swap:virtualmemory,recommended,usedasswap
3. boot:systemboot(kernel,initramfs),recommended,mountedas
/boot
4. usr:servicebinariesandlibraries,shareddata,etc.,
recommended,mountedas/usr
5. var:variabledata,recommended,mountedas/var
6. log:systemlogs,recommended,mountedas/var/log
7. tmp:worldwritabletemporarydirectory,recommended,mounted
as/tmp
8. vartmp:rearlyusedbutalsowordwritabletempdir,
recommended,mountedas/var/tmp
9. cache:cachedataofvariousapplicationslikethepackage
manager(apt)inUbuntu,recommended,mountedas/var/cache
10. spool:spooldataofvariousapplicationslikemailservers,
recommended,mountedas/var/spool
a. Itisrecommendedtohaveaseparatevolumeforeach
service.Thatcanbecreatedlater.
11. home:userdata,usedbysambaforexamplewhenyoushare
usershomedirectories,recommended,mountedas/home
12. Andaseparatevolumeforeachserviceyouinstall.I
recommendtodothislater(includingserviceinstallation).
iii.
Letscreatethevolumes!
1. Createallbuthomeinthesystemgrouptomakeyoursystem
bootablewithoutthedataarray.
2. Createlogicalvolume
a. Volumegroup:
vgcaladan_system
b. Logicalvolumename:
root
c. Logicalvolumesize:
2GB
i.
Itsenoughasastartifyoucreateallthevolumes
Isuggestedabove.Youcanmakeitbiggerany
timelive.
3. Dothesamewitheach:
a. swap:vgcaladan_system,2GB
i.
usethesizeofyourphysicalRAMinmostcases
ii.
youhavetocreateswaponaredundantdisk
(RAID),otherwiseadiskfailurecancrashyour
entireserver(ifLinuxcantreadswapped
memoryback)
b. boot:vgcaladan_system,1GB
c. usr:vgcaladan_system,2GB
d. var:vgcaladan_system,2GB
e. log:vgcaladan_system,1GB
f. tmp:vgcaladan_system,1GB
g. vartmp:vgcaladan_system,1GB
h. cache:vgcaladan_system,2GB

i.
j.

spool:vgcaladan_system,1GB
home:vgcaladan_data,2GB
i.
youcanmakeitbiggerifyouwanttostoremore
datainhome
k. Notethatitseasytoextendavolumelive,butits
impossibletoreduceitwithoutunmountingthefile
system.Thebestpracticehereistocreatetheminimum
thatsenoughtoinstallandbootyoursystem.Lateryou
canextendanyvolumeasneeded.
xii.
xiii.
xiv.

xv.

3. Finish
Yourenowbacktothepartitiondisksmenuandyoucanfindallthenewlycreatedvolumes
there.Nowyouhavetocreatefilesystemoneachandspecifymountpointandoptions.Doit!
Illgothroughaslistedinthemenu.Theorderisnotrelevant.
SelectthelinebelowLVMVGvgcaladan_data,LV
home
2.0GBLinuxdevicemapper
(linear)(#12.0GB)andpressenter!
1. Partitionsettings:
a. Useas:
btrfsjournalingfilesystem
i.
Youcanchooseadifferentfilesystemifyouwant(only
ext4/ext3/ext2/btrfs/JFS/XFScanbeusedforsystemvolumes).
ii.
Isuggestbtrfsbecauseitsstable,fastandismuchbetterinintegrity
thankstothecopyonwritetechnologyandchecksums.
b. Mountpoint:
/home
c. Mountoptions:
noatime,nodev,nosuid,noexec
i.
select
noatime
tolowerdiski/o,goodchoicetoextendthelifetimeof
solidstatedrives
1. atime:itsatimestamponeachfileandreflectsthelast
accessedtime(wehavectimeandmtime,ascreationand
modificationtimestamps).Inmostcases,youwontneedthis
information(access),soitssafetodisablewithnoatime.
Updatingatimemeansadiskwriteeachtimeafileisopened.
ii.
select
nodev
:thisrestrictssocalleddevicefileusageonthisvolume.
Devicefilesarespecialfilesusedtoaccessdevicessuchasdisks.
Theyrein/devandnoreasontohaveadevicefileinanyotherlocation.
Itsagoodandsimplesecurityenhancementtodisableiteverywhere
except/(root).Anattackercanuseaselfcreateddevicefiletoaccess
dataorbreakoutfromachroot,etc.
iii.
select
nosuid
:anothersecurityconcern,in/homeyoudontneedsetuid
support,disableit!Setuidisawayinunixlikesystemstogivemore
privilegetoabinary(runningasanother,typicallyrootuser),settingthe
userid(setuid)torunas.Thereresomebinariesusingitlikepasswd
(tobeabletowritethepasswdfile).Youneediton/(root)andmaybe
on/usr,butnotinanyotherplace.Disableit!
iv.
select
noexec
:samehere,itrestrictsrunningbinariesatallfromthis
location.Youllstoreandrunbinariesin/homeonceinabluemoon.
Disableitnow.Youcanchangeanyofthesesettingslater.
d. Label:
home
i.
optional,butagoodpracticetogiveaunique,meaningfullabeltoafile
system
ii.
Iusedtogivethesamenameasthevolume
e. Donesettingupthepartition
Dothesamewitheachvolume:
1. boot
a. Useas:
btrfsjournalingfilesystem
b. Mountpoint:
/boot

c.
d.
2. cache
a.
b.

Mountoptions:
noatime,nodev,nosuid,noexec
Label:
boot

Useas:
btrfsjournalingfilesystem
Mountpoint:
/var/cache
i.
UseEntermanuallyandenterthepath
c. Mountoptions:
nodev,nosuid,noexec
i.
incacheitsgoodtoknowwhenafilewaslastaccessed
d. Label:
cache
3. log
a. Useas:
btrfsjournalingfilesystem
b. Mountpoint:
/var/log
c. Mountoptions:
noatime,nodev,nosuid,noexec
d. Label:
log
4. root
a. Useas:
btrfsjournalingfilesystem
b. Mountpoint:
/
c. Mountoptions:
noatime
i.
Hereyouneedsuid,devandexectobootanduseyoursystem
d. Label:
root
5. spool
a. Useas:
btrfsjournalingfilesystem
b. Mountpoint:
/var/spool
c. Mountoptions:
nodev,nosuid,noexec
i.
Someservicemayuseatimeinspoolsodisablingitcanresultin
unwantedsideeffects.
d. Label:
spool
6. swap
a. Useas:
swaparea
7. tmp
a. Useas:
btrfsjournalingfilesystem
b. Mountpoint:
/tmp
c. Mountoptions:
nodev,nosuid,noexec
i.
intmpitsgoodtoknowwhenafilewaslastaccessed
d. Label:
tmp
8. usr
a. Useas:
btrfsjournalingfilesystem
b. Mountpoint:
/usr
c. Mountoptions:
noatime,nodev
i.
Inusryouneedexecandsuid,butnotwonthavedevicefiles.
d. Label:
usr
9. var
a. Useas:
btrfsjournalingfilesystem
b. Mountpoint:
/var
c. Mountoptions:
noatime,nodev,nosuid
i.
InanUbuntuandDebiansystem,thedpkgpackagemanagerruns
installationscriptsfrom/var/lib/dpkg/info,thereforeyouneedexecright,
orcreateadedicatedvolumeforthatpath(nottested).
d. Label:
var
10. vartmp
a. Useas:
btrfsjournalingfilesystem
b. Mountpoint:
/var/tmp
c. Mountoptions:
nodev,nosuid,noexec
i.
like/tmp

d. Label:
vartmp
Youredonewiththehardestpart.Goon,scrolldownandselectFinishpartitioningandwrite
changestodisk!
1. Reviewwhatyouvedone!Ifeverythingisok,selectYes!
n. Installthesystem
i.
Typeofinstallation:
normal
ii.
Kerneltoinstall:
linuxsignedgeneric
1. Changeonlyifyouknowwhatyouredoing.
2. Onasystemwithsecurebootenabled,youhavetousethesignedone.
iii.
Driverstoincludeintheinitrd:
generic:includeallavailabledrivers
1. Selectingtargetedcanspeedupthebootabit,butmakesithardertobootyour
systeminanotherhardware(withgenericLinuxcanbebootedinalmostanyhardware
withoutmodifications).
o. Configurethepackagemanager
i.
Useanetworkmirror?
Yes
ii.
Protocolforfiledownloads:
http
1. Allpackages(debfiles)aredigitallysignedusinggpg,soitsfinetouseinsecure
connections.
iii.
Ubuntuarchivemirrorcountry:
UnitedKingdom
1. Selectthecountryyourein!
iv.
Ubuntuarchivemirror:
gb.archive.ubuntu.com
1. Selectasuitablemirrorofyourcountry!
2. Youcanchangeitlater.
v.
HTTPproxyinformation(blankfornone):
1. Ifyouneedaproxytoaccessinternet,specifyhere.Idont.
vi.
Userestrictedsoftware?
No
1. Iseenoreasontoenableitatinstallation.
2. Youcanalwaysenableitwhenyouneedsomethingfromthisrepository.
vii.
Usesoftwarefromthe"universe"component?
No
1. Sameasabove,plusthesepackagesarenotincludedinlongtermsupport,sobe
aware!
viii.
Usesoftwarefromthe"multiverse"component?
No
1. Sameasabove(nonLTS)
ix.
Usebackportedsoftware?
No
1. Notrecommended.Itllbeusefullater,whenyouneedanupdatedsoftware,butnot
withanewlyreleaseddistribution.Enableitwhenneeded.
x.
EnablesourcerepositoriesinAPT?
No
1. Youdontneedthisunlessyouwanttocompileyourownversionofapackage.Not
recommended.
2. Youshouldntinstalldevelopmenttoolontoaproductionserverifpossibletomakeit
harderforanintrudertocompileandrunmaliciouscode.Nodevelopmenttools
combinedwiththenoexecfilesystemoptionsisthebestbasicpracticetomakeyour
systemmoresecure.
p. Selectandinstallsoftware
i.
Howdoyouwanttomanageupgradesonthissystem?
1. Installsecurityupdatesautomatically
a. Ifyoureparanoidorafraidofbreakingyoursystem,useNoautomaticupdates,
butDOupdatesbyhandeveryday!Themostcommonproblemwithaserveris
notupdatingit.Ifyoudoso(manuallyorautomatically),youllbesafeinmost
cases(mostoftheattacksuseswellknownvulnerabilitieswithfixesreleased
already).
b. HaveItoldyouthatyouhavetoupdateyoursystemwheneveranewsecurity
updatehadbeenreleased?
2. Youcanchangethislater.
xvi.

ii.

Choosesoftwaretoinstall:
1. InstallonlystandardsystemutilitiesandOpenSSHserver.
a. Youllneedthefirstonetomanageyoursystem,thesecondonetoaccessit
fromtheinternetusingSSH.
2. Youcaninstallalltheserviceslater.Youdonthavetodoitatthistime.Ineverdo.
iii.
PostfixConfiguration
1. UbuntuinstallsPostfixMTAbydefault.Itsagoodidea,makesitpossibletodeliver
systemmessages.
2. Generaltypeofmailconfiguration:
Localonly
a. Nowitsenoughtohaveitdelivermaillocally.Lateryoucanconfigureitifyou
wantremotemaildelivery.
3. Systemmailname:
caladan.linuxexpert.com
a. Useyoursystemname.Youcanchangeitlater.Withlocalonlymode,it
doesntmatter.
q. InstalltheGRUBbootloaderonaharddisk
i.
ForceGRUBinstallationtotheEFIremovablemediapath?
No
1. Normallynotneeded.Buthardtofixlater,soyoumayselectyessafelyasUbuntuis
theonlyoperatingsystemonthismachine.
r. Finishtheinstallation
i.
IsthesystemclocksettoUTC?
Yes
1. LinuxusesUTCassystemclock,selectyes.
2. IfyouhaveotherOSlikeWindowswhichstoreslocaltimeinsystemclock,youshould
selectno.Butyoudontinstalltwooperatingsystemonthesamehardware,doyou?
s. Installationcomplete
i.
Youredone,master!
ii.
YournewUbuntuserverjustbooting.Enjoyit!
8. Youlearnedhowtoinstallalongtermsupportable,secureandreliableUbuntuserver.Yournextstepisto
addservicesandlearnthebasicmanagement.
a. Lookformyupcomingcoursesonthesetopics!