Server Maintenance¶
Ubuntu server maintenance plan for AWS EC2 instances running Odoo.
Automatic Security Updates¶
Install Unattended Upgrades¶
# Install package
sudo apt install unattended-upgrades
# Enable automatic updates
sudo dpkg-reconfigure -plow unattended-upgrades
Verify Configuration¶
Expected output:
Configure Update Behavior¶
Edit /etc/apt/apt.conf.d/50unattended-upgrades:
Recommended settings:
# What to auto-update
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
};
# Auto-reboot if needed (during low-traffic hours)
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:00";
# Email notification (optional)
Unattended-Upgrade::Mail "admin@yourdomain.com";
Unattended-Upgrade::MailReport "on-change";
# Remove unused dependencies
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Firewall (UFW)¶
Initial Setup¶
# Enable firewall
sudo ufw enable
# Set defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing
Allow Required Ports¶
# SSH
sudo ufw allow 22/tcp
# HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Odoo direct access (if needed)
sudo ufw allow 8069/tcp
# PostgreSQL (only if local, not for RDS)
# sudo ufw allow 5432/tcp
Verify Firewall Status¶
Expected output:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
Fail2Ban (Brute Force Protection)¶
Installation¶
Configuration¶
# Create local config
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
Add/modify these settings:
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
Enable and Start¶
Check Status¶
# Service status
sudo systemctl status fail2ban
# SSH jail status
sudo fail2ban-client status sshd
# View banned IPs
sudo fail2ban-client status sshd | grep "Banned IP"
Maintenance Schedule¶
| Task | Frequency | Command/Action |
|---|---|---|
| Security updates | Auto (daily) | unattended-upgrades |
| Full system update | Monthly | sudo apt update && sudo apt upgrade |
| Reboot for kernel | Monthly | sudo reboot |
| Check disk space | Weekly | df -h |
| Check logs for errors | Weekly | journalctl -p err -b |
| Review fail2ban | Monthly | sudo fail2ban-client status sshd |
| Check Odoo logs | Weekly | sudo tail -100 /var/log/odoo/odoo.log |
| Test backups | Monthly | Restore test |
Quick Health Check Commands¶
System Status¶
# System uptime and load
uptime
# Memory usage
free -h
# Disk space
df -h
# Running processes
top -bn1 | head -20
Service Status¶
# Odoo service
sudo systemctl status odoo
# Nginx (if used)
sudo systemctl status nginx
# Check listening ports
sudo netstat -tlnp
Security Status¶
# Firewall status
sudo ufw status
# Fail2ban status
sudo fail2ban-client status
# Recent SSH logins
last -10
# Failed login attempts
sudo grep "Failed password" /var/log/auth.log | tail -10
Check for Updates¶
# List available updates
apt list --upgradable
# Check auto-update logs
sudo cat /var/log/unattended-upgrades/unattended-upgrades.log | tail -50
Quick Setup Script¶
One-time setup script for new Ubuntu servers:
#!/bin/bash
# Ubuntu Server Security Setup
# Run as: sudo bash setup-security.sh
set -e
echo "Starting Ubuntu server security setup..."
# Update system
echo "Updating system packages..."
apt update && apt upgrade -y
# Install required packages
echo "Installing security packages..."
apt install -y unattended-upgrades fail2ban ufw
# Configure automatic updates
echo "Configuring automatic security updates..."
dpkg-reconfigure -plow unattended-upgrades
# Configure firewall
echo "Configuring firewall..."
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp # SSH
ufw allow 80/tcp # HTTP
ufw allow 443/tcp # HTTPS
ufw --force enable
# Configure fail2ban
echo "Configuring fail2ban..."
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
systemctl enable fail2ban
systemctl start fail2ban
# Verify setup
echo ""
echo "=== Setup Complete ==="
echo ""
echo "Firewall status:"
ufw status
echo ""
echo "Fail2ban status:"
fail2ban-client status
echo ""
echo "Auto-updates enabled. Check /var/log/unattended-upgrades/ for logs."
Save as /root/setup-security.sh and run:
Monitoring Checklist¶
Daily (Automated)¶
- Security updates applied automatically
- Fail2ban blocking brute force attacks
- Firewall active
Weekly (Manual Review)¶
- Check disk space:
df -h - Review error logs:
journalctl -p err --since "1 week ago" - Check Odoo logs:
sudo tail -100 /var/log/odoo/odoo.log - Verify backups completed
Monthly (Maintenance Window)¶
- Full system update:
sudo apt update && sudo apt upgrade - Reboot if kernel updated:
sudo reboot - Review fail2ban bans:
sudo fail2ban-client status sshd - Test backup restoration
- Review AWS CloudWatch metrics (if enabled)
Troubleshooting¶
Locked Out of SSH¶
If fail2ban blocks your IP:
# From AWS Console, use EC2 Instance Connect or:
# Unban your IP
sudo fail2ban-client set sshd unbanip YOUR_IP_ADDRESS
Disk Full¶
# Find large files
sudo du -sh /* | sort -hr | head -10
# Clean apt cache
sudo apt clean
# Clean old logs
sudo journalctl --vacuum-time=7d
# Find old Odoo logs
sudo find /var/log/odoo -name "*.log.*" -mtime +30 -delete
High Memory Usage¶
# Check what's using memory
ps aux --sort=-%mem | head -10
# Restart Odoo if needed
sudo systemctl restart odoo
AWS-Specific Recommendations¶
EC2 Instance¶
- Use latest Ubuntu LTS (22.04 or 24.04)
- Enable detailed monitoring in CloudWatch
- Set up billing alerts
- Use Elastic IP for static address
Security Groups¶
In addition to UFW, configure AWS Security Groups:
| Type | Port | Source |
|---|---|---|
| SSH | 22 | Your IP only |
| HTTP | 80 | 0.0.0.0/0 |
| HTTPS | 443 | 0.0.0.0/0 |
| PostgreSQL | 5432 | VPC only (for RDS) |
CloudWatch Alarms (Recommended)¶
- CPU > 80% for 5 minutes
- Disk > 85% usage
- Status check failed