First Minutes On A New Server (Ubuntu)
Inspired by Brian Kennedy’s Blog Post and Cody Littlewood’s Blog Post
Change the Root Password
Change the root password to something very complex.
passwd
Update the System
Use apt, the Advanced Package Tool, to update the package index files.
apt update
And then install the newest versions of all currently installed packages.
apt upgrade
You often find the use of apt-get. The apt command is meant to be pleasant for end users and does not need to be backward compatible like apt-get(8).
You can find more information on this topic here.
Block suspicious activity on the server (Fail2ban)
Fail2ban can be used, to block suspicious activity on the server. It scans logfiles and bans IP Adresses, that show malicious signs.
Install Fail2ban:
apt install fail2ban
Enable Automatic Security Updates (unattended-upgrades)
Enable automatic security updates with unattended-upgrades:
apt install unattended-upgrades
Edit 10periodic:
vim /etc/apt/apt.conf.d/10periodic
and make it look like this:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
Edit 50unattended-upgrades:
vim /etc/apt/apt.conf.d/50unattended-upgrades
and make it look like this:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESM:${distro_codename}";
//"${distro_id}:${distro_codename}-updates";
};
Add a user, which you use to work on the server
You should not use the root user to work on the server. You should add another user, that can use sudo to work on the server. Let’s call this user deploy and create it and also create the .ssh directory (and restrict it to deploy), that we need later:
useradd deploy
mkdir /home/deploy
mkdir /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
Set the preferred shell for the new user:
usermod -s /bin/bash deploy
Configure public key authentication
It’s more secure to use public key authentication than to use passwords.
Create a key pair on your computer
On your Mac not on the server, generate your key pair in your home directory for the current user:
ssh-keygen -t rsa
This creates your SSH key pair (RSA / 2048 bit).
Copy the public key to the server
To copy your key to the server:
vim /home/deploy/.ssh/authorized_keys
Copy and paste the content of id_rsa.pub from your local computer to this file on the server.
Secure the authorized_keys file on the server
After adding your public key to the authorized_keys file, make sure the file is only readable by deploy and writeable for nobody:
chmod 400 /home/deploy/.ssh/authorized_keys
Now change the owner of the /home/deploy directory to the user deploy, because currently the owner is root:
chown deploy:deploy /home/deploy -R
Test the deploy user and your added SSH keys
Keep your existing terminal with the root login open!
Open another terminal window and try to login with the new deploy user and your added SSH keys:
ssh deploy@<hostname>
If it works, exit and return to the terminal with the root user active and change the password for the user deploy:
passwd deploy
Use a complex password. This is the password you will later use to sudo.
Disable root login and the use of passwords for logins
Disable the use of root for logins and the use of passwords for logins:
vim /etc/ssh/sshd_config
Search these lines and make them look like:
PermitRootLogin no
PasswordAuthentication no
If you are on a network with a static public IP you can further restrict logins to your deploy user from this static IP. Don’t do this if you have a home internet connection with a changing IP!
AllowUsers deploy@<your-ip> deploy@<another-ip-if-any>
Now restart SSH to apply your changes:
systemctl restart ssh
Let user deploy use the sudo command
Edit sudoers:
visudo
and comment all existing groups (groups start with %) and users and make sure these lines are present (or add them):
root ALL=(ALL) ALL
%sudo ALL=(ALL) ALL
Now add our deploy user to the sudo group:
usermod -aG sudo deploy
Set up a firewall (ufw)
Ubuntu provides ufw, which makes firewall configuration easy.
Check the configuration file, that IPv6 is enabled. Open the config file:
vim /etc/default/ufw
and set IPv6 to yes, if it is set to no:
IPV6=yes
If you are on a home network with a changing IP, allow Port 22 for SSH and Port 80 and 443 for your web server:
ufw allow 22
ufw allow 80
ufw allow 443
If you have a static IP, you can restrict the use of Port 22 to your IP, don’t do this if you have a changing IP like in a home network:
sudo ufw allow from <your-ip> to any port 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw disable
sudo ufw enable
Receive information from your logs via email (logwatch)
To install logwatch:
apt install logwatch
Logwatch automatically installs a daily cron job. Edit the cron job with:
vim /etc/cron.daily/00logwatch
For text emails:
/usr/sbin/logwatch --output mail --mailto <you@example.com> --detail high
For HTML emails:
/usr/sbin/logwatch --output mail --mailto <you@example.com> --detail high --format html
Log out
Now log out of your root user session and start using your deploy user with sudo for managing your server.