Preparing a Root-Server and install Docker-CE

This is my personal note list for preparing a root server. The list is not complete and may contain errors.

Network setup

  • Install OS as usual or use image from Control Panel

Network setup

  • Set/check fixed ip
  • Set the “Reverse DNS” entry in Control Panel
  • Add local user
    useradd <username>
    usermod -aG sudo <username>
  • Set hostname
    sudo hostnamectl set-hostname <hostname>
  • Edit the /etc/hosts file
  • Edit the /etc/cloud/cloud.cfg file if exists (preserve_hostname: false to true)
  • Edit the /etc/netplan/50-cloud-init.yaml

SSH

  • Add pubkey to ~/.ssh/authorized_keys
  • Disable SSH login with password and permit root login in /etc/ssh/sshd_config file
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
  • Restart SSH Daemon
    service sshd restart

VIM

  • VIM Color open ~/.vimrc and add
colorsheme desert
syntax on

Enable unattended upgrades

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

Docker

  • Install docker-ce here
  • Install docker-compose
    sudo apt-get install docker-compose-plugin
  • Install docker-compose here
  • Install docker-compose command completion here
  • add username to docker group (source)
    sudo usermod -aG docker $USER

Logrotate for Docker

  • Create Logrotate config file for Docker containers under /etc/logrotate.d/docker-container with the following content:
/var/lib/docker/containers/*/*.log {
  rotate 8
  weekly
  compress
  missingok
  delaycompress
  copytruncate
}
  • Test it with: logrotate -fv /etc/logrotate.d/docker-container

Docker Compose aliases

  • Create or append to ~/.bash_aliases:
alias dc='docker compose'
alias dcl='docker compose logs -f --tail=200'
alias dce='docker compose exec'
alias dcb='docker compose up --build -d'
alias dcu='docker compose up -d'
alias dcul='docker compose up -d && docker-compose logs -f --tail=50'
alias dcd='docker compose down --remove-orphans'
alias dcdu='docker compose down --remove-orphans && docker compose up -d'
alias dcdul='docker compose down --remove-orphans && docker compose up -d && docker compose logs -f --tail=50' 
alias dcdb='docker compose down --remove-orphans && docker compose up --build -d'
alias dcdbl='docker compose down --remove-orphans && docker compose up --build -d && docker compose logs -f --tail=50'

Docker after dist upgrade

  • Update key
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
  • Re-enable repo
    echo \
    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
    $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
  • update the package database with the Docker packages from the newly added repo:
    sudo apt-get update
  • Make sure you are install from the Docker repo instead of the default Ubuntu repo:
    apt-cache policy docker-ce
  • upgrade packes
    sudo apt-get install docker-ce docker-ce-cli containerd.io
  • reboot

fail2ban

  • Install fail2ban with sudo apt-get install fail2ban
  • Create config file /etc/fail2ban/jail.local and add a jail for the SSH Deamon
[sshd]
enabled = true
port = <ssh port>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

[traefik]
enabled = true
filter = traefik
logpath = /var/lib/docker/containers/*/*-json.log
banaction = docker-action
maxretry = 3
findtime = 900
bantime = 86400

[wplogin]
enabled = true
filter = wplogin
logpath = /var/lib/docker/containers/*/*-json.log
banaction = docker-action
maxretry = 3
findtime = 900
bantime = 86400

[unifi]
enabled  = true
filter   = unifi
logpath = /var/lib/docker/containers/*/*-json.log
banaction = docker-action
maxretry = 3
bantime = 86400
findtime = 900
  • Creat filter for traefik /etc/fail2ban/filter.d/traefik.conf
[Definition]
failregex = ^{"log":"<HOST> - \S+ \[.*\] \\"(GET|POST|HEAD) .+\" 401 .+$
ignoreregex =
  • Create filter for wplogin /etc/fail2ban/filter.d/wplogin.conf
[Definition]
failregex = ^{"log":"<HOST> -.*POST.*wp-login.php.*
ignoreregex =
  • Create filter for unifi /etc/fail2ban/filter.d/unifi.conf
[Definition]
failregex = ^{"log":"<HOST> - \S+ \[.*\] \\"POST \/api\/login.+\\" 400 .+$
  • Create action /etc/fail2ban/action.d/docker-action.conf
    Unlike the out-of-the-box action, “actionban” and “actionunban” do not affect the INPUT chain, but the docker FORWARD chain “DOCKER”.
[Definition]
actionstart = iptables -N f2b-docker
              iptables -A f2b-docker -j RETURN
              iptables -I FORWARD -p tcp -j f2b-docker

actionstop = iptables -D FORWARD -p tcp -j f2b-docker
             iptables -F f2b-docker
             iptables -X f2b-docker

actioncheck = iptables -n -L FORWARD | grep -q 'f2b-docker[ \t]'

actionban = iptables -I f2b-docker -s <ip> -j DROP

actionunban = iptables -D f2b-docker -s <ip> -j DROP

[via]https://www.the-lazy-dev.com/en/install-fail2ban-with-docker/[/via]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.