Matteias Collet

Base Ubuntu Server configuration on Raspberry Pi

Created at: / Last updated at:

Install Ubuntu Server

The image can be downloaded from Canonical . It comes with some pre-configuration. Before flashing do not forget to set the username and password in the imager configuration.

Base Configuration

  1. Update the packages:
sudo apt update
sudo apt upgrade
  1. Configure the keyboard locale:
sudo dpkg-reconfigure keyboard-configuration
  1. Configure the timezone:
dpkg-reconfigure tzdata

Note: I recommend rebooting after this step, i.e. sudo reboot now

Set the root password:

sudo su
passwd
  1. Set the hostname:
sudo hostnamectl set-hostname <hostname>
  1. Disable cloud-init:
touch /etc/cloud/cloud-init.disabled
  1. Update the SSH configuration /etc/ssh/sshd_config.d/10-my.conf:
Port <port>
AddressFamily any
ListenAddress <ipv4>
ListenAddress <ipv6>
MaxAuthTries 6
MaxSessions 10
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no

Note: Also remove any cloud-init configurations in the config directory

  1. Replace the SSH socket with the SSH service:
systemctl disable --now ssh.socket
# Note: Wait a couple of seconds before enabling the SSH service
systemctl enable --now ssh.service
  1. Configure /etc/nftables.conf:
#!/usr/sbin/nft -f
 
flush ruleset
 
define lan_interface = <interface>
define sshd_port = <port>
 
table ip filter {
    chain input {
        # Drop input by default
        type filter hook input priority 0; policy drop;
 
        # Accept traffic originated from this machine
        ct state established,related accept
 
        # Allow loopback traffic
        iif lo accept
 
        # Traceroute rejects
        udp dport { 33434-33474 } reject
 
        # Allow SSH on LAN interface
        iif $lan_interface tcp dport $sshd_port accept
 
        # Allow ICMP
        icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded } accept
 
        log prefix "IPv4 denied: "
        drop
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
    }
    chain output {
        type filter hook output priority 0; policy accept;
    }
}
 
table ip6 filter {
    chain input {
        # Drop input by default
        type filter hook input priority 0; policy drop;
 
        # Accept traffic originated from this machine
        ct state established,related accept
 
        # Allow loopback traffic
        iif lo accept
 
        # Traceroute rejects
        udp dport { 33434-33474 } reject
 
        # Allow SSH on LAN interface
        iif $lan_interface tcp dport $sshd_port accept
 
        # Allow ICMP
        icmpv6 type { echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
 
        log prefix "IPv6 denied: "
        drop
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
    }
    chain output {
        type filter hook output priority 0; policy accept;
    }
}

And enable it:

systemctl enable --now nftables
  1. Configure the primary interface (/etc/systemd/network/<pri>-<interface>.network):
[Match]
Name=eth0
 
[Network]
DHCP=yes
IPv6AcceptRA=yes

And reload:

sudo systemctl restart systemd-networkd