When deploying a new ubuntu server there are a few steps that should be followed in order to get secure things a bit. This won't yet be an all encompassing guide rather just something to get things moving. I plan to update this guide or add further links to make sure the server is as secure as can be.
If you would like help getting your server setup, I am available for hire. Or, if you prefer. I also offer managed server hosting.
Note: It is now an option to install openssh during installation.
Originally I wrote this tutorial for setting up a new server on a cloud hosting provider. Those already come setup with an ssh server; but if you've downloaded your ubuntu from the site and are setting it up on a bare metal server, it needs an extra step.
First, you'll want to update the repo list
sudo apt update
Now, it's possible to install the server.
sudo apt install -y openssh-server
Once it's installed you can start the service.
sudo service ssh status
And finally if you want to make any changes you can edit the sshd_config file.
sudo vi /etc/ssh/sshd_config
If you are completing a bare metal install you can go ahead and skip over disabling the root user and creating another user as that's already taken care during the install process.
After initially launching a cloud server all you'll most likely have is a root login. Go ahead and use it to log into your server.
ssh root@ip_address
Once in you'll want to add a new user, in this case we'll plan on using this account as the main login account.
adduser newuser
Be sure to set a strong password for the account here. After that there will be a number of questions, do as you please with those.
Later in this setup guide, I'll go over how to setup public key authorization and disable password authentication.
In this guide, I'm assuming this account should be designated to complete administrative tasks on the server. To do this add this user to the sudo group.
usermod -aG sudo newuser
Next we'll add public key authentication to the server, this will make it a bit more secure than password auth which we'll remove in a future step. If you don't already have a ssh key setup we'll take care of that now.
To generate a key pair run the following command in terminal on your local machine:
ssh-keygen -t rsa -b 4096 -C "email@example.com"
Follow the next steps in setting up the key, setting the name, location, and a pass phrase as desired.
Next we can copy the public key to the new server. There are a couple ways to go about this. First we will look at using ssh-copy-id which is pretty straight forward, just enter:
ssh-copy-id newuser@ip_address
This will automatically copy your public key over, you can verify everything by check in the ~/.ssh/authorized_keys file on the server.
It's also possible to copy it manually. To do this you'll first have to grab the public key from your local machine. This can be found in the ~/.ssh folder, you'll want to get the contents of the id_rsa.pub file. Once you have that in the clipboard create the ~/.ssh/authorized_keys on the server and paste the contents in there.
Next check the permissions on the ~/.ssh directory, they should be 700. They can be changed with the following command:
chmod 700 ~/.ssh
The authorized_keys file permissions should be 600, set those with the following command:
chmod 600 ~/.ssh/authorized_keys
Before proceeding to the next step. Make sure you can login using the newly created user.
Now that we have all that setup the next step is to remove the root login and to disable password auth. To do this you'll have to the sshd_config file. Fire up your favorite terminal text editor and let's go.
vi /etc/ssh/sshd_config
You'll have to search through the file but make sure the following get changed or are set to:
PasswordAuthentication no
After you're finished editing that file, the ssh daemon needs to be reloaded for those changes to take effect.
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PermitRootLogin no
systemctl reload sshd
Finally test to make sure that your login works.
To add a little bit more security let's enable the uncomplicated firewall (UFW). We'll assume that we're in our 'newuser' account for this. The first step is to allow ssh:
sudo ufw allow ssh
Note: this also assumes that we're using the default ssh port.
Next we can enable the firewall:
sudo ufw enable
Next you'll want to view other applications on your server and allow them as necessary:
sudo ufw app list
This isn't all that should be done for security but this is as far as we're going in this simple little tutorial. I'll come back and add links to more advanced server security later.
In order to further protect the new server install Fail2Ban. This will help to find and block malicious login attempts. It does this by monitoring failed login attempts, since most password based authentication should be accomplished in 3 or less attempts and ssh key auth should be able to sign in with 1 attempt. It can be assumed that anything more is malicious poking at the server and therefore can be blocked.
Installation, coming soon.
On a fresh install you may want to add additional repositories, in this case you may find this error message:
sudo: add-apt-repository: command not found
What a bummer...don't worry though, all you need to do is install the software-properties-common package:
sudo apt-get install software-properties-common python-software-properties
Once this is installed you can go ahead add the new repo, run an apt-get update and finally install your new package.
On newer versions on Ubuntu (16.04 and newer), when trying to install pip this error message might popup.
from distutils.core import setup
ImportError: No module named distutils.core
In order to fix this error, we'll need to install dist utils.
First, if it hasn't been run already. Update the apt repositories.
sudo apt update
Next, install distutils
sudo apt install python3-distutils -y
Once this is installed, it should be possible to install pip or whatever caused this error message to begin with.
I just wanted to note, this isn't an all encompassing guide but rather a quick starting point to make a brand new server a little bit more secure from all the evil out there in the big wide world. I hope you found this little tutorial helpful. If you happened to find an error or feel that I've missed something important, please go ahead and leave it in a comment below or send me an email. I'd really appreciate it and I'm sure the other people stopping by would too.
Tutorial created by 0x6f0 - Last updated: 02-JUL-2019