So You Want to Setup Arch Linux Server, Eh?
Some of you may be asking… are you deranged? Well let me tell you first why I choose to use Arch Linux as my server (and desktop) OS of choice in order of importance in my eyes.
- Rolling release – Because Arch Linux is rolling release, your server (if you update it) is always on the latest everything. This makes it so you don’t have to redo all of your servers when a new system comes out.
- AUR – The Arch User Repository is a massive, community maintained repository of packages that has just about everything you could ever want in it. No need to add custom repositories, or deal with incompatibilities
- Lightweight – Arch by default has almost nothing installed. The largest use of resources is systems stuff, which amounts to most of its ram usage, but even then it is only about 180mb of RAM used.
- Wiki – The excellent Arch wiki is a wonderful resource, and often guide on how to get everything working on your machine. Most issues you will encounter will be documented there.
Here are the things I do to most (but not all) of my Arch Linux servers to make them (mostly) secure and reliable.
- Install Arch on the linux-lts kernel package, rather than mainline kernel (linux) package.
- Install linux-lts with
pacman -S linux-lts
, reboot and select the LTS kernel in GRUB, and then remove the old kernel withpacman -R linux
.
- Install linux-lts with
- Setup Ansible. It will make changes to all the servers easy to pull off. Sometimes things break and this will make it easy to repair all of them at once.
- Have Pacman update at minimum every month, preferably every week with some kind of log of what it did.
- Reboot monthly. This is needed to boot the new kernel. You can do it every 2 weeks or less but every month should be enough.
- Make sure to have swap space. I’d recommend a swap file 1 to 4GB in size. Larger than that is not recommended.
- Setup a file integrity monitoring program such as OSSEC or similar.
- Once passwords and users are setup, make the passwd and shadow files immutable. This may backfire if you authenticate with AD, so decide your authentication method early.
- Files can be made immutable with:
chattr +i $file
.
- Files can be made immutable with:
- Setup SMTP to email you when the server has issues.
- If you don’t have a static WAN IP, setup DDNS.
- Join it to the domain if you have one, it makes user management significantly easier.
- Install UFW, this is an easy firewall management program. Just make sure to set the default policy for incoming to be deny or drop. Straight iptables or nftables will work just fine too.
- Change the default SSH port to some random port if it is on the open internet.
- Have a monthly “Maintenance” script. On mine I clean pacman cache, remove unused dependencies, and do a clamAV virus scan. Then email a status of the machine, showing IP’s, running processes, used and remaining storage, RAM usage, failed logs, and some custom fields related to what it is running on the machine. Check out this arch wiki page for some good practices.
That should be enough for most of the programs you will be running on it. Have a thing you run in your template? Post it below.
One thought on “So You Want to Setup Arch Linux Server, Eh?”