New Ubuntu Server Setup

When first launching a new ubuntu server there are a few steps that should be followed to get things a just a little bit more secure. This won't be an all encompassing guide rather just something to get things moving. For more and possibly better server hardening tips check out the links below.

'''from future import links'''

Bare Metal

Originally I wrote this tutorial for setting up a new server on a cloud hosting provider. Those already come setup with an ssh server; but if you've downloaded your ubuntu from the site and are setting it up on a bare metal server, it needs an extra step.

First, you'll want to update the repo list

sudo apt update

Now, it's possible to install the server.

sudo apt install -y openssh-server

Once it's installed you can start the service.

sudo service ssh status

And finally if you want to make any changes you can edit the sshd_config file.

sudo vi /etc/ssh/sshd_config

If you are completing a bare metal install you can go ahead and skip over disabling the root user and creating another user as that's already taken care during the install process.

Rid Root First

After initially launching the server all you'll most likely have is a root login. Go ahead and use it to log into your server.

ssh root@ip_address

Once in you'll want to add a new user, in this case we'll plan on using this account as the main login account.

adduser newuser

Be sure to set a strong password for the account here. After that there will be a number of questions, do as you please with those.

Privileges

We'll also plan on using this account to complete administrative tasks on the server. To do this we'll just add this user to the sudo group.

usermod -aG sudo sammy

Public Key Auth

Next we'll add public key authentication to the server, this will make it a bit more secure than password auth which we'll remove in a future step. If you don't already have a ssh key setup we'll take care of that now.

To generate a key pair run the following command in your local terminal:

ssh-keygen -t rsa -b 4096 -C "email@example.com"

Follow the next steps in setting up the key, setting the name, location, and a pass phrase as desired.

Next we can copy the public key to the new server. There are a couple ways to go about this. First we will look at using ssh-copy-id which is pretty straight forward, just enter:

ssh-copy-id newuser@ip_address

This will automatically copy your public key over, you can verify everything by check in the ~/.ssh/authorized_keys file on the server.

It's also possible to copy it manually. To do this you'll first have to grab the public key from your local machine. This can be found in the ~/.ssh folder, you'll want to get the contents of the id_rsa.pub file. Once you have that in the clipboard create the ~/.ssh/authorized_keys on the server and paste the contents in there.

Next check the permissions on the ~/.ssh directory, they should be 700. They can be changed with the following command:

chmod 700 ~/.ssh

The authorized_keys file permissions should be 600, set those with the following command:

chmod 600 ~/.ssh/authorized_keys

Remove Root login and Password Auth

Now that we have all that setup the next step is to remove the root login and to disable password auth. To do this you'll have to the sshd_config file. Fire up your favorite terminal text editor and let's go.

vi /etc/ssh/sshd_config

You'll have to search through the file but make sure the following get changed or are set to:

PasswordAuthentication no PubkeyAuthentication yes ChallengeResponseAuthentication no PermitRootLogin no After you're finished editing that file, the ssh daemon needs to be reloaded for those changes to take effect.

systemctl reload sshd

Finally test to make sure that your login works.

Basic UFW setup

To add a little bit more security let's enable the uncomplicated firewall (UFW). We'll assume that we're in our 'newuser' account for this. The first step is to allow ssh:

sudo ufw allow ssh

Note: this also assumes that we're using the default ssh port.

Next we can enable the firewall:

sudo ufw enable

Next you'll want to view other applications on your server and allow them as necessary:

sudo ufw app list

This isn't all that should be done for security but this is as far as we're going in this simple little tutorial. I'll come back and add links to more advanced server security later.

Setting up a new apt repo

On a fresh install you may want to add additional repositories, in this case you may find this error message:

sudo: add-apt-repository: command not found

What a bummer...don't worry though, all you need to do is install the software-properties-common package:

sudo apt-get install software-properties-common python-software-properties

Once this is installed you can go ahead add the new repo, run an apt-get update and finally install your new package.

Final Note

As noted a few times throughout this isn't an all encompassing guide but rather a quick starting point to make a brand new server a little bit more secure from all the evil out there in the big wide world. I hope you found this little tutorial helpful if you find an error or feel that I've missed something please go ahead and leave it in a comment below! I'd really appreciate it and I'm sure the other people stopping by would too.




Tutorial created by 0x6f0