EC2 ubuntu, new user, firewall rules, log rotation

Provisioning EC2 ubuntu server

Provisioning server

1. Login to amazon aws
2. Make sure you're on the right region(top right)
3. Go to EC2 page
4. Click on Launch Instance
5. Select Ubuntu AMI
6. On the networking step, select a vpc --- preferably a vpc you've added beforehand
7. Make sure the subnet selected is public, otherwise you can't ssh to it
8. Create a new keypair, or use the one you created before
9. Click on launch instance

$ ssh-keygen -y -f ec2-keypair.pem

New user and firewall

I have created some scripts to use. Please review these carefully *before* using them. The steps to use them are in the readme.

User management

If this system would be used by multiple users, then a quota system, especially for disk and perhaps for bandwidth would make sense. For disk quota, we can use quota(1). Since this is a single-user system, i've opted to not quota disks. Besides, there's only 8 GB of root space, there's not much point in putting quota there.

Linux Hardening

I would consider these to be mandatory, which my scripts do/check:

1. Disable ssh password authentication
2. Disable incomming request on ports other than http(s), ssh from your ip.

• printf 'ufw allow from %s to 0.0.0.0 port 22' "$(curl -s ifconfig.me)"
• ufw allow 8000:9000/tcp
• Use fail2ban
• Drop ASN's of known bad-actors and scrapers

Log rotation

Due to the logrotate package, it's really easy to do log rotation. The logrotate-activate script adds a rule for /var/log/auth.log then adds a system-wide script to run it daily. Although the ubuntu image already provides /etc/cron.daily/logrotate, it exits if there's systemd timer. Since we wish to use cron instead, i put it in the system-wide crontab.
The crontab file should contain:

0 0 * * * root /usr/sbin/logrotate /etc/logrotate.conf