Server Additions
This page covers the additional configuration applied to the Proxmox host and the base container template after the core setup is complete: automatic updates, useful tools, login information, and the settings that make long-running unattended systems behave correctly.
Suspend and hibernate
The source material covers disabling suspend and hibernate for a server running on a laptop. The February server is a tower running Proxmox on bare metal, so suspend and hibernate should be disabled at the hypervisor level regardless.
For the Proxmox host, disable all power management that would interrupt operation:
sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
For containers, this is not relevant: LXC containers do not have their own power management and follow the host.
If the Proxmox host is accessible from a physical console and has a keyboard, also configure logind to ignore the power key and lid switch if applicable:
sudo tee /etc/systemd/logind.conf.d/no-sleep.conf << 'EOF'
[Login]
HandlePowerKey=ignore
HandleSuspendKey=ignore
HandleHibernateKey=ignore
HandleLidSwitch=ignore
HandleLidSwitchDocked=ignore
IdleAction=ignore
EOF
sudo systemctl restart systemd-logind
Automatic updates
Security updates should be applied automatically. Other updates should be downloaded but reviewed before installation. Both the Proxmox host and every container should have this configured.
The unattended-upgrades configuration was applied in the base container template. For the Proxmox host, the same configuration applies but via the apt package manager on the Proxmox Debian base:
sudo apt install -y unattended-upgrades apticron
Configure unattended upgrades on the Proxmox host:
sudo tee /etc/apt/apt.conf.d/50unattended-upgrades << 'EOF'
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::Package-Blacklist {
// Do not auto-update Proxmox itself - do that manually
"proxmox-ve";
"pve-kernel*";
"pve-manager";
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Mail "root";
EOF
sudo tee /etc/apt/apt.conf.d/20auto-upgrades << 'EOF'
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
EOF
Proxmox itself is excluded from automatic updates. Proxmox kernel and management updates are applied manually as covered in the upgrade section, since they may require a reboot that needs to be planned.
apticron
apticron emails a list of available updates daily, useful for staying aware of what is pending without enabling automatic installation for everything:
sudo apt install -y apticron
Configure the notification email in /etc/apticron/apticron.conf:
sudo sed -i 's/^EMAIL=.*/EMAIL="root"/' /etc/apticron/apticron.conf
root mail is aliased to your actual address by the Postfix null client configuration.
Users and groups
Web server group
Services run as www-data by default. Add your user account to this group for access to web directories without using sudo:
sudo adduser $USER www-data
Log out and back in for the change to take effect.
Service accounts
Each service should run under its own dedicated user account rather than as root or a shared user. Create these as services are deployed. For the services in this series:
# Create service accounts with no login shell and no home directory
sudo useradd --system --no-create-home --shell /bin/false unbound
sudo useradd --system --no-create-home --shell /bin/false mosquitto
sudo useradd --system --no-create-home --shell /bin/false chirpstack
Most service packages create their own users during installation. This is noted on each service’s page.
Useful tools
Install a base set of tools on the Proxmox host and in the base container template:
sudo apt install -y \
htop \
btop \
ncdu \
tmux \
mtr-tiny \
dnsutils \
net-tools \
nmap \
netcat-openbsd \
curl \
wget \
jq \
git \
pwgen \
molly-guard \
rsync \
lsof \
strace \
sysstat \
iotop \
iftop \
tcpdump \
multitail
Notable packages
molly-guard: intercepts shutdown, reboot, halt, and poweroff on remote SSH sessions and asks for the hostname before proceeding. Prevents accidentally rebooting the wrong server when managing multiple machines simultaneously.
btop: a modern resource monitor with a better interface than htop, showing CPU, memory, disk, and network in a single view.
ncdu: interactive disk usage analyser. Much faster than du -sh * for finding what is consuming space.
tmux: terminal multiplexer. Essential for long-running operations that should survive disconnected SSH sessions.
sysstat: provides sar, iostat, and related tools for historical performance analysis.
iotop: shows disk I/O per process, useful for diagnosing disk saturation.
multitail: follows multiple log files simultaneously in a split-screen terminal view.
pwgen: generates strong random passwords from the command line. Useful for creating service account passwords during setup:
pwgen -s 32 1
git configuration on the server
If git is used on the server for configuration management or deployment, configure it with a minimal identity:
git config --global user.name "Server Admin"
git config --global user.email "admin@yourdomain.net"
git config --global init.defaultBranch main
Login message
Replace the default Ubuntu login message with useful system information. On the Proxmox host, the MOTD system works differently than in containers since Proxmox has its own console output. For containers:
Disable Ubuntu boilerplate
# Disable the Ubuntu help text and news
sudo chmod -x /etc/update-motd.d/10-help-text 2>/dev/null || true
sudo chmod -x /etc/update-motd.d/50-motd-news 2>/dev/null || true
# Remove any welcome message file
sudo truncate -s 0 /etc/motd
Add useful system information
Install fastfetch for a clean system summary (a modern maintained replacement for the abandoned neofetch, and better than the older landscape-common):
sudo apt install -y fastfetch
Create /etc/update-motd.d/50-system-info:
sudo tee /etc/update-motd.d/50-system-info << 'EOF'
#!/bin/bash
#
# Display system information on login
printf "\n"
printf " Hostname: %s\n" "$(hostname -f)"
printf " Last reboot: %s\n" "$(uptime --since)"
printf " Uptime: %s\n" "$(uptime --pretty)"
printf " Load: %s\n" "$(cat /proc/loadavg | cut -d' ' -f1-3)"
printf " Memory: %s used of %s\n" \
"$(free -h | awk '/^Mem:/{print $3}')" \
"$(free -h | awk '/^Mem:/{print $2}')"
printf " Disk /: %s\n" "$(df -h / | awk 'NR==2{print $3" used of "$2" ("$5")"}')"
printf "\n"
# Show pending updates if any
UPDATES=$(apt list --upgradeable 2>/dev/null | grep -c upgradeable 2>/dev/null)
if [ "$UPDATES" -gt 0 ] 2>/dev/null; then
printf " !! %s package update(s) available\n\n" "$UPDATES"
fi
EOF
sudo chmod +x /etc/update-motd.d/50-system-info
This produces a clean login summary showing hostname, uptime, resource usage, and pending updates.
etckeeper: version control for /etc
etckeeper automatically commits changes to /etc to a git repository, giving a full audit trail of configuration changes with timestamps and the user who made them.
sudo apt install -y etckeeper
etckeeper initialises automatically on installation. Check the current state:
sudo etckeeper vcs log --oneline
Changes to files in /etc are committed automatically before and after apt operations. Manual commits can be made at any time:
sudo etckeeper commit "Initial server configuration"
This is particularly valuable on the Proxmox host where configuration changes to files in /etc should be tracked. Less critical for containers where the service configuration is typically in /etc/servicename/ and the whole container can be snapshotted via Proxmox.
Logwatch: log summaries by email
logwatch analyses system logs and sends a daily email summary of notable events:
sudo apt install -y logwatch
Configure the daily report in /etc/logwatch/conf/logwatch.conf:
sudo tee /etc/logwatch/conf/logwatch.conf << 'EOF'
Output = mail
Format = html
MailTo = root
MailFrom = logwatch@yourdomain.net
Range = yesterday
Detail = Low
Service = All
EOF
The daily summary arrives in your inbox alongside other server mail, providing a passive overview of authentication attempts, errors, and service activity without requiring active log monitoring.
fail2ban: automated intrusion prevention
fail2ban monitors log files and automatically blocks IP addresses that show signs of malicious activity: repeated failed SSH logins, web scraping, mail relay attempts, and similar.
sudo apt install -y fail2ban
The default configuration protects SSH. Create a local override to adjust the parameters:
sudo tee /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
# Ban for 1 hour
bantime = 3600
# Consider IPs that fail 5 times within 10 minutes
findtime = 600
maxretry = 5
# Email notification on ban
destemail = root
sender = fail2ban@yourdomain.net
action = %(action_mw)s
[sshd]
enabled = true
port = 63508
logpath = %(sshd_log)s
EOF
sudo systemctl enable --now fail2ban
Adjust the SSH port to match the non-standard port configured in the SSH server section.
Check the current ban status:
sudo fail2ban-client status sshd
molly-guardandfail2banare the two tools most likely to prevent embarrassing incidents on a multi-server homelab. Install them early and leave them running.molly-guardsaves you from accidentally rebooting the production server when you meant to reboot a test container.fail2banhandles the constant low-level authentication noise that every internet-exposed server receives.