When you have a new server, there are a few important steps you should take before you start using the server. This guide is written for an Ubuntu based system but it should work on any Linux distribution with slight modifications.
First of all you need to connect to your server via SSH using the following command (change 126.96.36.199 with your server ip address):
If you see a warning like the one below, just type
yes and enter your root password.
The authenticity of host '188.8.131.52 (184.108.40.206)' can't be established. ECDSA key fingerpring is 04:08:6f:40:5c:8c:0a:c3:6d:7f:92:00:09:66:4a:22. Are you sure you want to continue connecting (yes/no)?
Set the hostname && FQDN
A hostname is a unique name created to identify your system on a network while the fully qualified domain name (FQDN) is a complete domain name that uniquely identifies a machine in the DNS name space and usually consists two parts: the hostname and a second-level domain (SLD). For example, a FQDN for your server might be
To set the hostname type the following command:
echo myhost > /etc/hostname service hostname restart
Next, to set the FQDN edit the
/etc/hosts file with your editor of choice so it resembles the following example (of course you need to substitute those values with your own):
vim myhost /etc/hosts
127.0.0.1 localhost.localdomain localhost 220.127.116.11 myhost.mydoman.org myhost
To verify that the hostname was properly set run
hostname and accordingly to verify the FQDN run
If you want your machine to be reachable over the Internet via its FQDN, you need to create a DNS record for it.
Change your root password
Change the root password to something extremely hard and complex. Choose a password that is at least eight characters long and a mixture of digits, letters and non-alphanumeric characters. Do not choose a password based upon personal data and dictionary words. To change the root password, type the following command:
You will be prompted to enter the new password twice.
Update your system
You need to update your system regularly to improve stability and performance and protect your system from vulnerabilities. To upgrade the packages on your server just run the following command:
apt-get update && apt-get -y upgrade
If you want to stay up to date with the latest security patches, you should enable automatic updates. To install and enable the unattended-upgrades package run the following commands:
apt-get install unattended-upgrades dpkg-reconfigure -plow unattended-upgrades
If you have CentOS or RHEL on your server, to update the server run
Set the Timezone
To change your server’s timezone execute the following command and select your preferred timezone:
Create a new sudo user
Its a very good practice to run your applications and commands on a user level because it gives you an additional layer of security.
Enter the following command to create a new user "newuser" (replace "newuser" with your own username) :
You will be asked a series of questions including your password.
Adding user `newuser' ... Adding new group `newuser' (1001) ... Adding new user `newuser' (1001) with group `newuser' ... Creating home directory `/home/newuser' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for newuser Enter the new value, or press ENTER for the default Full Name : Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n]
In Ubuntu, members of the group sudo are allowed to execute any command, so you will only need to add the new user "newuser" to the sudo group. To do that just run the following command:
usermod -aG sudo newuser
Now, whenever you want to run any command with root privileges with the new user, simply type “sudo” before the command.
The group "sudo" may not exist in other distributions. For example, in CentOS/RHEL to add a user in the sudoers file, run
visudoand append the following line
newuser ALL=(ALL) ALL.
Even the longest and most complex password can eventually be cracked. The most common and effective way of securing SSH access to your server is to use a key-based SSH login. SSH keys are a way to identify trusted computers, without involving passwords.
First, you need to check if you already have SSH keys on your local machine. Open up a new terminal on your local machine (don't close the root terminal until you are done with the guide or you may lock yourself out) and type :
ls -al ~/.ssh
If the directory listing contains files
id_rsa.pub then you already have an existing keypair.
If you already have ssh keys, then please skip this step, if not generate a new SSH key by running the following command:
ssh-keygen -t rsa -C "email@example.com"
You'll be asked to enter a passphrase, if you don't want a passphrase press the [enter] key twice.
Generating public/private rsa key pair. Enter file in which to save the key (/home/localuser/.ssh/id_rsa): Created directory '/home/localuser/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/localuser/.ssh/id_rsa. Your public key has been saved in /home/localuser/.ssh/id_rsa.pub. The key fingerprint is: 26:7a:cd:fd:59:f6:27:86:41:b4:16:c0:92:9a:07:39 firstname.lastname@example.org The key's randomart image is: +--[ RSA 2048]----+ | . o.. | | E o . o | | = . . o | | o + + | | ..S o | | . = . . | | . . o . .o | | . ..+o..| | o. .o| +-----------------+
Next, you need to transfer the public key to your remote server, run
You should see something like:
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys email@example.com's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'firstname.lastname@example.org'" and check to make sure that only the key(s) you wanted were added.
As the message above says, you should try logging into your server, with
ssh email@example.com, if you have previously set a passphrase, you will be asked to enter the passphrase.
Now, when you are logged in as your sudo user, you can configure various SSH settings which are stored in the
Let's change the default SSH port (22) to 9922 and disable remote root login.
In order to do this, open up the SSH configuration file
sudo nano /etc/ssh/sshd_config
Port 22 to
Port 9922 and
PermitRootLogin yes to
[...] Port 9922 [...] PermitRootLogin no [...]
If you are the only user who logs in via SSH, I'd recommend adding your user name to AllowUsers by adding the following line to the
Finally restart the ssh service for the changes to take effect.
service ssh restart
To check if the changes were successful, open up a new terminal on your local machine and try to login as root
firstname.lastname@example.org -p9922 and you will see a message like below:
ssh email@example.com -p9922 firstname.lastname@example.org's password: Permission denied, please try again.
Finally, if you want to simplify the login process and login to your server by just typing
ssh myhost, open up a new terminal on your local machine and add the following to the
# contents of /home/localuser/.ssh/config Host myhost HostName 18.104.22.168 Port 9922 User newuser
Now that you have a solid foundation for your Ubuntu 14.04 server, you can begin securing your server with iptables or download and install whatever software you want.