postinstal instrukce pro ubuntu noble 24.02 server mininal


sudo -s
passwd
systemctl disable  graphical.target
apt install opensssh-server vim ifupdown-ng iptables-persistent apt-file bind9-host inetutils-ping curl rsync less resolvconf 
 
systemctl --now disable upower cloud-init-local.service cloud-init.service systemd-networkd.service systemd-networkd.socket networkd-dispatcher.service netplan-ovs-cleanup.service
? NetworkManager.service ovsdb-server.service ? 

# check vim and other settings
update-alternatives --get-selections

cat >/etc/network/interfaces << EOF

auto lo

auto enp1s0
  iface enp1s0 inet static
  address 172.21.21.19
  netmask 255.255.255.0
  gateway 172.21.21.1

EOF

rm /etc/resolv.conf
cat > /etc/resolv.conf << "EOF"
nameserver 85.135.32.100
nameserver 62.129.50.20
EOF

cat >/etc/iptables/rules.v4 << EOF
*raw
:PREROUTING ACCEPT [229:19363]
:OUTPUT ACCEPT [176:25951]
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
COMMIT
*filter
:INPUT DROP [16739:871385]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [296172:585974054]
:SSH - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 22,80,443 -j ACCEPT
-A INPUT -s 89.29.40.90/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j SSH
-A SSH -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 2 --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "SSH ratelimit"
-A SSH -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 2 --name SSH --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A SSH -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
-A SSH -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Thu Nov 14 16:06:50 2024
EOF


cat >/etc/iptables/rules.v6  <<EOF
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:SSH ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp --dport 22 -j SSH
-A SSH -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 900 --hitcount 8 --name SSH --rsource -j LOG --log-prefix "SSH ratelimit"
-A SSH -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 900 --hitcount 8 --name SSH --rsource -j REJECT
-A SSH -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A SSH -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
EOF


iptables-restore </etc/iptables/rules.v4 
ip6tables-restore </etc/iptables/rules.v6 

resolvectl status

#vi /etc/systemd/resolved.conf 
#systemctl restart  systemd-resolved

systemctl --now enable networking.service netfilter-persistent.service
systemctl disable systemd-networkd.socket networkd-dispatcher systemd-networkd-wait-online systemd-networkd.socket systemd-resolved
systemctl mask systemd-networkd
apt -y purge netplan.io