Home / server / Questions / 29673
Accepted
Luke
Asked: 2009-06-23 03:20:52 +0800 CST

Optimize a fresh Ubuntu server installation

  • 772

After installing a fresh Ubuntu server (I personally use 8.04 LTS) what do you do to optimize it in terms of memory consumption, disk usage and speed? What services and pre-installed packages do you remove to make your system as lean and mean as possible before you start building your server?

ubuntu optimization

8 Answers

  1. Best Answer

    This will very much depend on what you want to use the server for, so anything specific that we suggest may be irrelevant to you...

    My general advice is to not start by doing a less than base install then removing packages though.

    I tend to use Debian Stable for server installs, and I ensure that nothing other than the absolute essentials goes on in the initial setup (including deselecting the default "standard system" option when asked by tasksel during the install procedure) and I add packages and settings that are needed from that point. I assume that the same could be done with an Ubuntu server install as Ubuntu is very close to Debian in many respects.

    • 3

  2. First identify the services(ports) your server will provide, then disable everything else, there are a plenty of tools you can use to secure your server like bastille or tripwire. Depending on the services you are running, you have to look for specific tuning of the installed software.

    • 2

  3. First: sudo apt-get install rcconf

    sudo rcconf

    ...disable all unnecessary services. And reboot system

    Please excuse my bad english...

    • 1

  4. It sounds like you're concerned about security.

    If this is the case, it is a good idea to take an md5sum and perhaps a copy of critical low-level system tools that would be used in case of a system compromise (such as ls, ps, netstat, etc AND md5sum) in their pristine state before you ever connect the system to the internet.

    Then set up a process to monitor those files and notify you if the md5sums ever change. One of the first things most rootkits do is to replace these tools to hide their presence on your system.

    • 1

  5. There is a package called bastille which can be used for server-hardening.

    It asks you a few questions about how the server will be used, and tightens up some of the default security settings.

    Might be worth a look.

    • 1

  6. Do nothing. No point tweaking until you know you have a problem. Most times linux will be OK out of the box. If you running 32 bit you might want to check your kernel to make sure it can use all the memory you have installed.

    Apart from that the only thing you do in terms of performance is monitor the system and your apps. Then if you see a problem you address it.

    However some things you will want to have addressed in advance.

    E.g. if you suddenly decide you need more IO and the best way to get it is raid 10 then your SOL if you didn't think about that first.

    • 1

  7. I'm not going to talk here much about optimizing it, but because you asked about installing a new server, I'll list some issues about security... but beware of overkill

    1. If it's facing a "hostile" network - configure tightly a firewall
    2. If it's a webserver - install and configure also a proxy (squid is a good one)
    3. Think about it when it comes about updating:
      • If it's a security patch - install it
      • If it adds some functionality - test it first in a "lab" environment
    4. Configure a "tripwire" to monitor the status of some configuration files, and set it up to send an e-mail whenever something occurs (e-mail should be sent on a remote server)
    5. If you feel like you need it - configure also an IDS (like "snort")
    6. Install "sysv-rc-conf" and deselect all services you won't need.
    7. Check with "netstat -tupan" if there are more sevices on the network if there should be
    8. If you'll need ssh access, setup "ceritifcate-based access" (public/private keys) or port-knocking.
    9. Keep the logs... verify them... backup often... verify the backups
    10. Use decent passwords (don't use the same password!) - you can generate them with "apg"
    11. Try to break your own server, and then harden it more
    12. Google for SELinux and AppArmor
    • 1

  8. The basic tuning I do to any machine I run is

    1. Add the following to each kernel stanza in /etc/grub.conf, then reboot

      elevator=deadline selinux=0

    2. edit /etc/fstab and add the following to all local partitions, then run mount -o remount $PARTITION

      noatime

    3. Remove slocate, mlocate (unless needed)

    Update: explanation for the options

    1. elevator=deadline, read more here. selinux=0, I have found SELinux causes more problems than it solves (not being to connect via the loopback for instance) and so choose to disable it and rely on traditional security patterns.

    2. noatime, without this option, whenever a file or directory is touched, that includes being read by find or ls, the atime attribute of the inode is updated. This needless IO can significantly slow down filesystem access when doing bulk IO operations and can be safely disabled. The only application known not to work on Linux with this option disabled is Mutt. Read more here.

    3. slocate and friends construct background indexes of your files periodically, this periodic processing can cause expected spikes in processing times for IO intensive applications like databases. Unless you need the functionality of these utilities, I prefer to remove them.

    • 1