When first launching a new ubuntu server there are a few steps that should be followed to get things a just a little bit more secure. This won't be an all encompassing guide rather just something to get things moving. For more and possibly better server hardening tips check out the links below.
'''from future import links'''
Originally I wrote this tutorial for setting up a new server on a cloud hosting provider. Those already come setup with an ssh server; but if you've downloaded your ubuntu from the site and are setting it up on a bare metal server, it needs an extra step.
First, you'll want to update the repo list
sudo apt update
Now, it's possible to install the server.
sudo apt install -y openssh-server
Once it's installed you can start the service.
sudo service ssh status
And finally if you want to make any changes you can edit the sshd_config file.
sudo vi /etc/ssh/sshd_config
If you are completing a bare metal install you can go ahead and skip over disabling the root user and creating another user as that's already taken care during the install process.
After initially launching the server all you'll most likely have is a root login. Go ahead and use it to log into your server.
Once in you'll want to add a new user, in this case we'll plan on using this account as the main login account.
Be sure to set a strong password for the account here. After that there will be a number of questions, do as you please with those.
We'll also plan on using this account to complete administrative tasks on the server. To do this we'll just add this user to the sudo group.
usermod -aG sudo sammy
Next we'll add public key authentication to the server, this will make it a bit more secure than password auth which we'll remove in a future step. If you don't already have a ssh key setup we'll take care of that now.
To generate a key pair run the following command in your local terminal:
ssh-keygen -t rsa -b 4096 -C "firstname.lastname@example.org"
Follow the next steps in setting up the key, setting the name, location, and a pass phrase as desired.
Next we can copy the public key to the new server. There are a couple ways to go about this. First we will look at using ssh-copy-id which is pretty straight forward, just enter:
This will automatically copy your public key over, you can verify everything by check in the ~/.ssh/authorized_keys file on the server.
It's also possible to copy it manually. To do this you'll first have to grab the public key from your local machine. This can be found in the ~/.ssh folder, you'll want to get the contents of the id_rsa.pub file. Once you have that in the clipboard create the ~/.ssh/authorized_keys on the server and paste the contents in there.
Next check the permissions on the ~/.ssh directory, they should be 700. They can be changed with the following command:
chmod 700 ~/.ssh
The authorized_keys file permissions should be 600, set those with the following command:
chmod 600 ~/.ssh/authorized_keys
Now that we have all that setup the next step is to remove the root login and to disable password auth. To do this you'll have to the sshd_config file. Fire up your favorite terminal text editor and let's go.
You'll have to search through the file but make sure the following get changed or are set to:
After you're finished editing that file, the ssh daemon needs to be reloaded for those changes to take effect.
systemctl reload sshd
Finally test to make sure that your login works.
To add a little bit more security let's enable the uncomplicated firewall (UFW). We'll assume that we're in our 'newuser' account for this. The first step is to allow ssh:
sudo ufw allow ssh
Note: this also assumes that we're using the default ssh port.
Next we can enable the firewall:
sudo ufw enable
Next you'll want to view other applications on your server and allow them as necessary:
sudo ufw app list
This isn't all that should be done for security but this is as far as we're going in this simple little tutorial. I'll come back and add links to more advanced server security later.
On a fresh install you may want to add additional repositories, in this case you may find this error message:
sudo: add-apt-repository: command not found
What a bummer...don't worry though, all you need to do is install the software-properties-common package:
sudo apt-get install software-properties-common python-software-properties
Once this is installed you can go ahead add the new repo, run an apt-get update and finally install your new package.
As noted a few times throughout this isn't an all encompassing guide but rather a quick starting point to make a brand new server a little bit more secure from all the evil out there in the big wide world. I hope you found this little tutorial helpful if you find an error or feel that I've missed something please go ahead and leave it in a comment below! I'd really appreciate it and I'm sure the other people stopping by would too.
Tutorial created by 0x6f0