Ubuntu23.04_en

1. Set root password and use SU command In the default configuration of Ubuntu, the root user is unavailable because no password has been set. By setting a password for the root user, transitions using the traditional [su] command will be possible. 3. Make locate command available The find command is often used to search for specific files throughout the Linux system, but find is somewhat confusing in terms of specifying options. The locate command can extract all files with a specified filename. 5. Network Settings 5.1 Host Name Settings This procedure is not necessary if you have already set the hostname at the time of Ubuntu installation and wish to use the hostname as it is. To change the hostname, use the "hostnamectl set-hostname" command. As an example, we set "ubuntu-10" as the hostname. 5.2 Set IP address to network interface If a fixed IP address was specified during Ubuntu installation, this section is not necessary. To change the IP address, change the " /etc/netplan/00-installer-config.yaml" file, and then restart the network interface (enp0s3 in this environment). The network interface name will change depending on the environment in which the setup was performed, so check the interface name first.

1.Obtain a certificate (Let's Encrypt) 1.1 advance preparation 1.Enable mod_ssl 2.Package management system Snappy installed Let's Encrypt's SSL certificate issuing tool "certbot" is recommended to be installed using "snap" after 2021, so install Snapd first. (It can also be installed using the conventional method with dnf or yum) 1.3 Obtain a Let's Encrypt Certificate It is assumed that a web server such as Apache httpd or Nginx is running. If the web server is not running on the server where the work is to be performed, follow the procedure below under "Obtaining a Let's Encrypt certificate when the web server is not running". It is also assumed that the server on which the work is to be performed (the server with the FQDN of the server from which you want to obtain the certificate) is accessible from the Internet at port 80. 2. SSL/TLS (Let's Encrypt) configuration for Apache2 ①Edit Apache2 SSL-related configuration files 3. SSL/TLS (Let's Encrypt) settings on the mail server 3.1 Obtaining a certificate for the mail server Obtain a certificate for the mail server, but it cannot be obtained in the same way as above, so the following with the "--standalone" option fails.

Ubuntu Server 23.04 Download Installation Image The installation media for Ubuntu Server can be downloaded from the official site on the Internet. As long as you have a fast connection, you can download the OS itself in about 2 to 3 minutes. You will need to create an installation CD/DVD from the downloaded iso file. (approx. 2.5G) The iso file itself can be used for installation on a virtual machine using Vmware or other software. The iso file can be downloaded from the "Official Ubuntu Download Site". Ubuntu 23.04 (released on April 20, 2023) is supported until January 2024, so it is safer to install the LTS version of Ubuntu 22.04 in the production environment.

1. SSH Service Security Settings The SSH service allows the root user to log in by default, and since the root user already knows the user name and can log in to the server with administrative privileges once the password is known, we will deny this setting. 1.1 Creating a General User If you have created a general user when installing Ubuntu 23, this procedure is not necessary. If you have already created a user at the time of OS installation, this procedure is not necessary. If you have already created a user during OS installation, this procedure is not necessary. 2. Firewall Settings Ubuntu often uses software called "ufw" to configure the firewall UFW is installed when the OS is installed. Here are the steps to configure minimal filter settings after installation.

SSH connection with authentication using public key cryptography  Creation of public and private key pairs Create a public/private key pair for a user connecting to the Linux server using OpenSSH. Use ssh-keygen to create key pairs. This time, we will create a key set using the RSA cipher used in the SSH protocol Version 2. Creation of public/private key pairs is performed with remote login user privileges (huong). If you do not specify the destination and file name, id_ed25519,id_ed25519.pub will be created in /home/huong/.ssh/. On the way, enter the password for the key.

1.Install NTP server 2. Install FTP server vsftpd 2.1Installation and configuration ①Install 2.2 Vsftpd Over SSL/TLS ①Create a self-signed certificate. If you are using a trusted, legitimate certificate such as Let's Encrypt, you do not need to do this work. 3. File server installation with Samba Build a file server with access rights that requires user authentication with Samba. Installation Procedure (1) Create a shared folder with access rights that requires user authentication. (2) Create a group with access rights (3)Create users belonging to groups that can be accessed (4)Edit configuration file

Apache2 Install Allow http:80 port and https:443 port in UFW first. 3 Apache2 : Using Perl Scripts Enable CGI to make Perl scripts available ①Perl Install 4 Apache2 : Using PHP Scripts ①PHP Install 5 Apache2 : Virtual Host Settings ①Copy the default configuration file (file name is arbitrary, in this case vhost-yourdomain.conf as an example) and configure the virtual host 6. Digest authentication with Apache2 Since Basic Authentication, a well-known authentication authentication method for http, transmits authentication information in plain text, there is a risk of ID and password leakage if the packet is intercepted. On the other hand, Digest Authentication encrypts the authentication information and sends it in encrypted form, so there is almost no risk of information leakage.

1.Anti-virus software Clamav installed 1.1 Install # apt install clamav clamav-daemon The clamav-related configuration files are installed in the "/etc/clamav/" folder. 2. Email software installation 2.1 Postfix : Installation/Configuration Install Postfix and build an SMTP server. 25/TCP is used for SMTP. To prevent unauthorized mail relay, use the SASL function of Dovecot (see below), and configure Postfix so that authentication is required even for outgoing mail. 2.2 Dovecot : Installation/Configuration Install Dovecot and build a POP/IMAP server, using 110/TCP for POP and 143/TCP for IMAP 2.7 Applied ClamAV to mail server Postfix Set up Postfix and Clamav to work together to scan incoming and outgoing mail in real time. ①Install Amavisd and Clamav Daemon and start Clamav Daemon 2.7 Applied ClamAV to mail server Postfix Set up Postfix and Clamav to work together to scan incoming and outgoing mail in real time. ①Install Amavisd and Clamav Daemon and start Clamav Daemon 2.7 Applied ClamAV to mail server Postfix Set up Postfix and Clamav to work together to scan incoming and outgoing mail in real time. ①Install Amavisd and Clamav Daemon and start Clamav Daemon 2.8Applied spamassassin to mail server Postfix 2.5.1 spamassassin install ①Install

1. MariaDB Install 1. 1Install 1.2. MariaDB Server Security Settings Run the tool mysql_secure_installation to configure security-related settings for the MariaDB server. Once executed, the tool will start several security settings in the form of questions. First, you will be asked if you want to use a plugin for password validation, as shown below. Password validation is a plugin that checks the strength of a user's password for MariaDB and restricts it to accepting only passwords that are secure enough. For example, it must be at least as many characters long as the user's password and must contain at least one symbol and one number. You can set this requirement by asking the following question Type y and press Enter if you like 2.WordPress Install 2.1 Create database

1.SNORT2 Install Snort is an open source network intrusion detection system that can perform real-time traffic analysis and packet logging on IP networks. It can perform "protocol analysis," "content search," and "matching," and can be used to detect a variety of attacks, including buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, semantic URL attacks, and server message block probes. The SNORT3 can be used to detect a wide variety of attacks, including To install SNORT3, see 2.Tripwire Install Implement a system to detect file tampering on Linux servers by crackers. This time, Tripwire, a host-based IDS (IDS=Intrusion Detection System), will be installed as the file tampering detection system. Tripwire detects file additions/changes/deletions by creating a database of file status at the time of installation and comparing the database with the current status of the file.

1. Introduce disk usage check script 1.1 Script Creation 2. Log analysis tool Logwatch installed 2.1 Install logwatch

1. System Backup 1.1 Backup under /var/www/html ①Create /var/www/system directory 1.2 MariaDB database backup ①Create db_backup.sh script under /var/www/system 2. System Restore 2.1 Restore backup files under HTML ①Store HTML backup files used for backup in the "/ (root)" directory Select the backup file with the latest timestamp (Example: www_back_20231009.tar.gz) 2.2 Restore MariaDB database ①Save DB backup file to any directory and decompress data

Snort3 Install The default universe repository for Ubuntu22.04,23.04 is snort2.9 as shown below, so build, compile and install Snort3 from the source code