So, you just got a brand new server, with a pre-installed Ubuntu 14.04 LTS image. Now what? Well, you could start installing mail or http servers, but that wouldn't be good because there are still some things you should do, not only to make your server more secure, but also to optimize it and make sure that you're using all the resources that you have available. So let's start.
Adding A User
If you've got a VPS from Digital Ocean, Amazon Cloud Services, Google Cloud, etc. then your server probably is still using only the default root user. The root user, most commanly used in UNIX based systems, is the most powerful user in the system, it has read and write access to the entire disk and can modify all the processes and other users, think of the OS as a tree, you have the normal, non-admin users as the leaves and fruits, then the admin, non-root users as the trunk, and finaly, the root user, as (guess what), the roots, it is the origin of all the others, and without him there couldn't be the others.
As you can see, finding the password for the root user is a really, really bad thing, whoever holds its password has entire control over the machine, it can also create a lot of damage to the system if not used correctly, imagine that you give your son the root password, even if it is just for him to check his email. In most cases he could end up deleting sensible system files, and therefore, break the system. If you just gave him a normal non-admin account, even if he tried to damage the system, it wouldn't allow him to because he wouldn't have enough privileges to do so. That's why, even sysadmins try not to use the root account, they setup another account for them and add it sudo privileges.
sudo is the command that declares that the command after it should be executed with root previleges, this is better then using root directly because you'll have to manually type sudo to make big changes, you can't just accidently do it. We'll take a look at it later.
Currently you're probably using the root account, as it is the only one. Let's change that. Add a new user with the command
adduser and then the username. Remeber that the username can't contain wired things like spaces or any accents, etc. So imagine I wanted to add the user john, I would do it like this:
This would create a user "john" whitout root previleges, but we need them, so to add root privileges, we add the user "john" to the sudo group.
gpasswd -a john sudo
Now "john" has root privileges by using the
sudo command. To clear things up I'll explain you why this is important. Imagine that you needed to change the configuration for you Apache webserver, and that the address for the config file was
/etc/apache2/apache2.conf, if you just edited with:
It would allow you to edit it, but on time of saving it, it wouldn't allow you to, because you weren't using root privileges, so you can't write to that system file. On the other hand, if you did this with
sudo nano /etc/apache2/apache2.conf
Everything would work as you're editing it as root.
Now that you have a working sudo account,
ssh back but now with your new username, I would do it like this:
And entered my password.
Securing SSH Connections
SSH, meaning "Secure Shell Script", allows you to remote control a server, or computer, via the shell. Think of it as the remote control that you know, like controlling your computer's screen via another computer, but this time it is only for the command line, just for commands. As so, we also don't want anyone else controlling our server. So to start let's change the default port, 22, to some other more complex, anything higher than 1000 shoud do it, if you have doubts in if the port you selected is already being used, then use the
netstat command. It will output all the ports that are in use.
Now that you've fought of a port, let's actually change it to that. Imagine it was 2222, I would firstly open SSH's config file:
sudo nano /etc/ssh/sshd_config
And this will open the file
/etc/ssh/sshd_config with the
nano editor, now you'll see a lot of lines with multiple preferences, one of the top ones says:
In my case, as I want the port to be the port 2222, I would replace that line with this:
Then, as a security measure, let's also say that SSH shouldn't allow root login, only other users, so search for the line that says:
And replace it with:
Now to save the file, do
CTRL-X, which means exit, then type
ENTER, to confirm that you want to save the changes. Now that you are bacj to the terminal, let's reload the SSH service, this basically means to turn it off and on again so tat the changes take effect. We do it like this:
sudo service ssh restart
A firewall is a really important security step, it sets rules for what ports should the server allow or deny connections. We'll use UFW for the firewall, it isn't the most advanced, but it will suffice for now, it should already be installed, but if not, let's install it with apt-get, apt-get is a package manager, think of it like an App Store but for server utilities and commands. It comes pre-installed with Ubuntu but it may be out-of-date, so let's update it:
sudo apt-get update
sudo apt-get upgrade
You may be asked if you want to update the available elements, press
ENTER to confirm it.
You should run these commands regurarly to check for updates. Now let's install UFW:
sudo apt-get install ufw
If it is already installed it will output a message saying that the package ufw is already installed and updated.
Let's start by setting default rules, these are meant so that if there's a combination that is not refered in particular, it will be handled by a default rule. In a server, you usually want it to, by default, allow outgoing connections and deny incoming connections. So let's do that with these commands:
sudo ufw default deny incoming
sudo ufw default allow outgoing
Now let's set exceptions, you'll need to allow all the ports that your server will be listening on. I'll give examples for SSH, a default HTTP port and HTTPS. For this we use the
sudo ufw allow command. So for SSH in the default port, we can do:
sudo ufw allow ssh
And for HTTP:
sudo ufw allow http
sudo ufw allow https
But we have changed the SSH port, now what? We'll need to set it by its port, let's imagine I use the port 2222, I would do it like this:
sudo ufw allow 2222
But we also want to autmatically deny the default SSH port, well, it is already doing it because we set the defaults to deny, but I'll show it to you:
sudo ufw deny ssh
sudo ufw deny 22
But now imagine that you've detected an automated bot always scanning your server, and you happen to get its IP, you can also deny that IP entire access, imagine it was
220.127.116.11, you'd do it like this:
sudo ufw deny from 18.104.22.168
Or allwoing an entrire subnet for scanning maybe:
sudo ufw allow from 22.214.171.124/24
Now that you have your rules set, it's time to turn the firewall on, you can do it like this:
sudo ufw enable
Or to disable:
sudo ufw disable
Or to check it's state:
sudo ufw status
Or if you completely messed it up and want to start fresh:
sudo ufw reset
That's all for firewalls.
Timezones and Network Time Protocol Synchronization Setup
Now let's setup your server to always have to correct date depending on its location, start by setting its timezone with:
sudo dpkg-reconfigure tzdata
And navingate through the menus with the arrow keys,
ENTER to accept.
Now that your server knows its timezone, lets allow it to tune its time through other servers, for this we use NTP, "Network Time Protocol". You can install it with this:
sudo apt-get install ntp
Done, now your server will always be on time for tasks... (Badum tsss)
SWAP File Setup
Sometimes you may not have enough RAM for specific, non-frequent processes, SWAP files may help on this, whenever you run out of RAM the system usally just kicks the process out, not to overload the RAM, this results in the service crashing, which means that on your client's side, all they see is a "Server down" message. To avoide this, SWAP files store RAM processes that are used less frequentely, in the Disk, of course that this will slow down the process, but it is better than having a service crash. NOTE: The use of SWAP files on SSDs is not recommended. This may cause it do degradate over time. But if you have a magnetic disk, then you can allocate disk space for that file with the
fallocate command, imagine I want a 2GB SWAP file, I would allocate it like this:
sudo fallocate -l 2G /swapfile
Now let's tell the system that that file should not be accessed by other processes:
sudo chmod 600 /swapfile
By now it is just a protected file, not a SWAP file. Yet. Let's tell the system to treat it as a SWAP file like this:
sudo mkswap /swapfile
Now let's authorise the system to use it:
sudo swapon /swapfile
Finally, the SWAP file needs to be mounted on boot, so let's add it to our etc/fstab file:
sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'
You've made to the end of it, but if you don't back -it-up, you migh just need to do everything again!
Have I missed anything? Have any doubts? Drop me a line via the comment form below!