on Initial Ubuntu server setup

When you have a new server, there are a few important steps you should take before you start using the server. This guide is written for an Ubuntu based system but it should work on any Linux distribution with slight modifications.

First of all you need to connect to your server via SSH using the following command (change 111.111.111.111 with your server ip address):

ssh [email protected]

If you see a warning like the one below, just type yes and enter your root password.

The authenticity of host '111.111.111.111 (111.111.111.111)' can't be established.  
ECDSA key fingerpring is  
04:08:6f:40:5c:8c:0a:c3:6d:7f:92:00:09:66:4a:22.
Are you sure you want to continue connecting (yes/no)?

Set the hostname && FQDN

A hostname is a unique name created to identify your system on a network while the fully qualified domain name (FQDN) is a complete domain name that uniquely identifies a machine in the DNS name space and usually consists two parts: the hostname and a second-level domain (SLD). For example, a FQDN for your server might be myhost.mydoman.org.

To set the hostname type the following command:

echo myhost > /etc/hostname
service hostname restart

Next, to set the FQDN edit the /etc/hosts file with your editor of choice so it resembles the following example (of course you need to substitute those values with your own):

vim myhost /etc/hosts
127.0.0.1 localhost.localdomain localhost
111.111.111.111 myhost.mydoman.org  myhost

To verify that the hostname was properly set run hostname and accordingly to verify the FQDN run hostname -f

If you want your machine to be reachable over the Internet via its FQDN, you need to create a DNS record for it.

Change your root password

Change the root password to something extremely hard and complex. Choose a password that is at least eight characters long and a mixture of digits, letters and non-alphanumeric characters. Do not choose a password based upon personal data and dictionary words. To change the root password, type the following command:

passwd

You will be prompted to enter the new password twice.

Update your system

You need to update your system regularly to improve stability and performance and protect your system from vulnerabilities. To upgrade the packages on your server just run the following command:

apt-get update && apt-get -y upgrade

If you want to stay up to date with the latest security patches, you should enable automatic updates. To install and enable the unattended-upgrades package run the following commands:

apt-get install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

If you have CentOS or RHEL on your server, to update the server run yum update

Set the Timezone

To change your server’s timezone execute the following command and select your preferred timezone:

dpkg-reconfigure tzdata

Create a new sudo user

Its a very good practice to run your applications and commands on a user level because it gives you an additional layer of security.

Enter the following command to create a new user "newuser" (replace "newuser" with your own username) :

adduser newuser

You will be asked a series of questions including your password.

Adding user `newuser' ...
Adding new group `newuser' (1001) ...
Adding new user `newuser' (1001) with group `newuser' ...
Creating home directory `/home/newuser' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for newuser
Enter the new value, or press ENTER for the default
    Full Name []: 
    Room Number []: 
    Work Phone []: 
    Home Phone []: 
    Other []: 
Is the information correct? [Y/n] 

In Ubuntu, members of the group sudo are allowed to execute any command, so you will only need to add the new user "newuser" to the sudo group. To do that just run the following command:

usermod -aG sudo newuser 

Now, whenever you want to run any command with root privileges with the new user, simply type “sudo” before the command.

The group "sudo" may not exist in other distributions. For example, in CentOS/RHEL to add a user in the sudoers file, run visudo and append the following line newuser ALL=(ALL) ALL.

SSH configuration

Even the longest and most complex password can eventually be cracked. The most common and effective way of securing SSH access to your server is to use a key-based SSH login. SSH keys are a way to identify trusted computers, without involving passwords.

First, you need to check if you already have SSH keys on your local machine. Open up a new terminal on your local machine (don't close the root terminal until you are done with the guide or you may lock yourself out) and type :

ls -al ~/.ssh

If the directory listing contains files id_dsa.pub or id_rsa.pub then you already have an existing keypair.

If you already have ssh keys, then please skip this step, if not generate a new SSH key by running the following command:

ssh-keygen -t rsa -C "[email protected]"

You'll be asked to enter a passphrase, if you don't want a passphrase press the [enter] key twice.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/localuser/.ssh/id_rsa): 
Created directory '/home/localuser/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/localuser/.ssh/id_rsa.
Your public key has been saved in /home/localuser/.ssh/id_rsa.pub.
The key fingerprint is:
26:7a:cd:fd:59:f6:27:86:41:b4:16:c0:92:9a:07:39 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|       . o..     |
|      E o . o    |
|       = . . o   |
|      o +   +    |
|      ..S  o     |
|     . = .  .    |
|    . . o .  .o  |
|     .     ..+o..|
|            o. .o|
+-----------------+

Next, you need to transfer the public key to your remote server, run

ssh-copy-id [email protected]

You should see something like:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

As the message above says, you should try logging into your server, with ssh [email protected], if you have previously set a passphrase, you will be asked to enter the passphrase.

Now, when you are logged in as your sudo user, you can configure various SSH settings which are stored in the /etc/ssh/sshd_config file.

Let's change the default SSH port (22) to 9922 and disable remote root login.

In order to do this, open up the SSH configuration file

sudo nano /etc/ssh/sshd_config

and change Port 22 to Port 9922 and PermitRootLogin yes to PermitRootLogin no.

[...]
Port 9922
[...]
PermitRootLogin no
[...]

If you are the only user who logs in via SSH, I'd recommend adding your user name to AllowUsers by adding the following line to the /etc/ssh/sshd_config file:

AllowUsers newuser

Finally restart the ssh service for the changes to take effect.

service ssh restart

To check if the changes were successful, open up a new terminal on your local machine and try to login as root [email protected] -p9922 and you will see a message like below:

ssh [email protected] -p9922
[email protected]'s password: 
Permission denied, please try again.

Finally, if you want to simplify the login process and login to your server by just typing ssh myhost, open up a new terminal on your local machine and add the following to the ~/.ssh/config file.

# contents of /home/localuser/.ssh/config
Host myhost
    HostName 111.111.111.111
    Port 9922
    User newuser

Now that you have a solid foundation for your Ubuntu 14.04 server, you can begin securing your server with iptables or download and install whatever software you want.