Initial Ubuntu Server Setup

So, you just got a brand new server, with a pre-installed Ubuntu 14.04 LTS image. Now what? Well, you could start installing mail or http servers, but that wouldn't be good because there are still some things you should do, not only to make your server more secure, but also to optimize it and make sure that you're using all the resources that you have available. So let's start.

Adding A User

If you've got a VPS from Digital Ocean, Amazon Cloud Services, Google Cloud, etc. then your server probably is still using only the default root user. The root user, most commanly used in UNIX based systems, is the most powerful user in the system, it has read and write access to the entire disk and can modify all the processes and other users, think of the OS as a tree, you have the normal, non-admin users as the leaves and fruits, then the admin, non-root users as the trunk, and finaly, the root user, as (guess what), the roots, it is the origin of all the others, and without him there couldn't be the others.

As you can see, finding the password for the root user is a really, really bad thing, whoever holds its password has entire control over the machine, it can also create a lot of damage to the system if not used correctly, imagine that you give your son the root password, even if it is just for him to check his email. In most cases he could end up deleting sensible system files, and therefore, break the system. If you just gave him a normal non-admin account, even if he tried to damage the system, it wouldn't allow him to because he wouldn't have enough privileges to do so. That's why, even sysadmins try not to use the root account, they setup another account for them and add it sudo privileges. sudo is the command that declares that the command after it should be executed with root previleges, this is better then using root directly because you'll have to manually type sudo to make big changes, you can't just accidently do it. We'll take a look at it later.

Currently you're probably using the root account, as it is the only one. Let's change that. Add a new user with the command adduser and then the username. Remeber that the username can't contain wired things like spaces or any accents, etc. So imagine I wanted to add the user john, I would do it like this:

adduser john

This would create a user "john" whitout root previleges, but we need them, so to add root privileges, we add the user "john" to the sudo group.

gpasswd -a john sudo

Now "john" has root privileges by using the sudo command. To clear things up I'll explain you why this is important. Imagine that you needed to change the configuration for you Apache webserver, and that the address for the config file was /etc/apache2/apache2.conf, if you just edited with:

nano /etc/apache2/apache2.conf

It would allow you to edit it, but on time of saving it, it wouldn't allow you to, because you weren't using root privileges, so you can't write to that system file. On the other hand, if you did this with sudo:

sudo nano /etc/apache2/apache2.conf

Everything would work as you're editing it as root.
Now that you have a working sudo account, logout and ssh back but now with your new username, I would do it like this:

ssh [email protected]

And entered my password.

Securing SSH Connections

SSH, meaning "Secure Shell Script", allows you to remote control a server, or computer, via the shell. Think of it as the remote control that you know, like controlling your computer's screen via another computer, but this time it is only for the command line, just for commands. As so, we also don't want anyone else controlling our server. So to start let's change the default port, 22, to some other more complex, anything higher than 1000 shoud do it, if you have doubts in if the port you selected is already being used, then use the netstat command. It will output all the ports that are in use.

Now that you've fought of a port, let's actually change it to that. Imagine it was 2222, I would firstly open SSH's config file:

sudo nano /etc/ssh/sshd_config

And this will open the file /etc/ssh/sshd_config with the nano editor, now you'll see a lot of lines with multiple preferences, one of the top ones says:

Port 22

In my case, as I want the port to be the port 2222, I would replace that line with this:

Port 2222

Then, as a security measure, let's also say that SSH shouldn't allow root login, only other users, so search for the line that says:

PermitRootLogin yes

And replace it with:

PermitRootLogin no

Now to save the file, do CTRL-X, which means exit, then type Y and ENTER, to confirm that you want to save the changes. Now that you are bacj to the terminal, let's reload the SSH service, this basically means to turn it off and on again so tat the changes take effect. We do it like this:

sudo service ssh restart

Firewall Setup

A firewall is a really important security step, it sets rules for what ports should the server allow or deny connections. We'll use UFW for the firewall, it isn't the most advanced, but it will suffice for now, it should already be installed, but if not, let's install it with apt-get, apt-get is a package manager, think of it like an App Store but for server utilities and commands. It comes pre-installed with Ubuntu but it may be out-of-date, so let's update it:

sudo apt-get update

And then:

sudo apt-get upgrade

You may be asked if you want to update the available elements, press Y and ENTER to confirm it.

You should run these commands regurarly to check for updates. Now let's install UFW:

sudo apt-get install ufw

If it is already installed it will output a message saying that the package ufw is already installed and updated.

Let's start by setting default rules, these are meant so that if there's a combination that is not refered in particular, it will be handled by a default rule. In a server, you usually want it to, by default, allow outgoing connections and deny incoming connections. So let's do that with these commands:

sudo ufw default deny incoming

And:

sudo ufw default allow outgoing

Now let's set exceptions, you'll need to allow all the ports that your server will be listening on. I'll give examples for SSH, a default HTTP port and HTTPS. For this we use the sudo ufw allow command. So for SSH in the default port, we can do:

sudo ufw allow ssh

And for HTTP:

sudo ufw allow http

For HTTPS:

sudo ufw allow https

But we have changed the SSH port, now what? We'll need to set it by its port, let's imagine I use the port 2222, I would do it like this:

sudo ufw allow 2222

But we also want to autmatically deny the default SSH port, well, it is already doing it because we set the defaults to deny, but I'll show it to you:

sudo ufw deny ssh

Or:

sudo ufw deny 22

But now imagine that you've detected an automated bot always scanning your server, and you happen to get its IP, you can also deny that IP entire access, imagine it was 123.123.123.123, you'd do it like this:

sudo ufw deny from 123.123.123.123

Or allwoing an entrire subnet for scanning maybe:

sudo ufw allow from 123.123.123.0/24

Now that you have your rules set, it's time to turn the firewall on, you can do it like this:

sudo ufw enable

Or to disable:

sudo ufw disable

Or to check it's state:

sudo ufw status

Or if you completely messed it up and want to start fresh:

sudo ufw reset

That's all for firewalls.

Timezones and Network Time Protocol Synchronization Setup

Now let's setup your server to always have to correct date depending on its location, start by setting its timezone with:

sudo dpkg-reconfigure tzdata

And navingate through the menus with the arrow keys, ENTER to accept.

Now that your server knows its timezone, lets allow it to tune its time through other servers, for this we use NTP, "Network Time Protocol". You can install it with this:

sudo apt-get install ntp

Done, now your server will always be on time for tasks... (Badum tsss)

SWAP File Setup

Sometimes you may not have enough RAM for specific, non-frequent processes, SWAP files may help on this, whenever you run out of RAM the system usally just kicks the process out, not to overload the RAM, this results in the service crashing, which means that on your client's side, all they see is a "Server down" message. To avoide this, SWAP files store RAM processes that are used less frequentely, in the Disk, of course that this will slow down the process, but it is better than having a service crash. NOTE: The use of SWAP files on SSDs is not recommended. This may cause it do degradate over time. But if you have a magnetic disk, then you can allocate disk space for that file with the fallocate command, imagine I want a 2GB SWAP file, I would allocate it like this:

sudo fallocate -l 2G /swapfile

Now let's tell the system that that file should not be accessed by other processes:

sudo chmod 600 /swapfile

By now it is just a protected file, not a SWAP file. Yet. Let's tell the system to treat it as a SWAP file like this:

sudo mkswap /swapfile

Now let's authorise the system to use it:

sudo swapon /swapfile

Finally, the SWAP file needs to be mounted on boot, so let's add it to our etc/fstab file:

sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'

BACKUP!

You've made to the end of it, but if you don't back -it-up, you migh just need to do everything again!

Have I missed anything? Have any doubts? Drop me a line via the comment form below!

Tiago

Tiago Ferreira

Read more posts by this author.