New Ubuntu Server Setup

When deploying a new ubuntu server there are a few steps that should be followed in order to secure things a bit. This won’t yet be an all encompassing guide rather just something to get things moving. I plan to update this guide or add further links to make sure the server is as secure as can be.

Bare Metal Installations

Note: It is now an option to install openssh during installation.

Originally I wrote this tutorial for setting up a new server on a cloud hosting provider. Those already come setup with an ssh server; but if you’ve downloaded your ubuntu from the site and are setting it up on a bare metal server, it needs an extra step.

First, you’ll want to update the repo list

sudo apt update

Now, it’s possible to install the server.

sudo apt install -y openssh-server

Once it’s installed you can start the service.

sudo service ssh status

And finally if you want to make any changes you can edit the sshd_config file.

sudo vi /etc/ssh/sshd_config

If you are completing a bare metal install you can go ahead and skip over disabling the root user and creating another user as that’s already taken care during the install process.

New User setup

After initially launching a cloud server all you’ll most likely have is a root login. Go ahead and use it to log into your server.

ssh [email protected]_address

Once in you’ll want to add a new user, in this case we’ll plan on using this account as the main login account.

adduser newuser

Be sure to set a strong password for the account here. After that there will be a number of questions, do as you please with those.

Later in this setup guide, I’ll go over how to setup public key authorization and disable password authentication.

Add Privileges

In this guide, I’m assuming this account should be designated to complete administrative tasks on the server. To do this add this user to the sudo group.

usermod -aG sudo newuser

Setup Public Key Auth

Next we’ll add public key authentication to the server, this will make it a bit more secure than password auth which we’ll remove in a future step. If you don’t already have a ssh key setup we’ll take care of that now.

To generate a key pair run the following command in terminal on your local machine:

ssh-keygen -t rsa -b 4096 -C "[email protected]"

Follow the next steps in setting up the key, setting the name, location, and a pass phrase as desired.

Next we can copy the public key to the new server. There are a couple ways to go about this. First we will look at using ssh-copy-id which is pretty straight forward, just enter:

ssh-copy-id [email protected]_address

This will automatically copy your public key over, you can verify everything by check in the ~/.ssh/authorized_keys file on the server.

It’s also possible to copy it manually. To do this you’ll first have to grab the public key from your local machine. This can be found in the ~/.ssh folder, you’ll want to get the contents of the id_rsa.pub file. Once you have that in the clipboard create the ~/.ssh/authorized_keys on the server and paste the contents in there.

Next check the permissions on the ~/.ssh directory, they should be 700. They can be changed with the following command:

chmod 700 ~/.ssh

The authorized_keys file permissions should be 600, set those with the following command:

chmod 600 ~/.ssh/authorized_keys

Before proceeding to the next step. Make sure you can login using the newly created user.

Disable Root login and remove Password Auth

Now that we have all that setup the next step is to remove the root login and to disable password auth. To do this you’ll have to the sshd_config file. Fire up your favorite terminal text editor and let’s go.

vi /etc/ssh/sshd_config

You’ll have to search through the file but make sure the following get changed or are set to:

PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PermitRootLogin no

After you’re finished editing that file, the ssh daemon needs to be reloaded for those changes to take effect.

systemctl reload sshd

Finally test to make sure that your login works.

Basic UFW setup

To add a little bit more security let’s enable the uncomplicated firewall (UFW). We’ll assume that we’re in our ‘newuser’ account for this. The first step is to allow ssh:

sudo ufw allow ssh

Note: this also assumes that we’re using the default ssh port.

Next we can enable the firewall:

sudo ufw enable

Next you’ll want to view other applications on your server and allow them as necessary:

sudo ufw app list

This isn’t all that should be done for security but this is as far as we’re going in this simple little tutorial. I’ll come back and add links to more advanced server security later.

Setup Fail2Ban

In order to further protect the new server install Fail2Ban. This will help to find and block malicious login attempts. It does this by monitoring the auth log for failed login attempts, since most password based authentication should be accomplished in 3 or less attempts and ssh key auth should be able to sign in with 1 attempt. It can be assumed that anything more is malicious poking at the server and therefore can be blocked.

Installation, is straight forward:

apt install fail2ban

Next up is to create a local jail file in the following location: /etc/fail2ban/jail.local

This is my default setup, I put max retry to 1 since I have public key auth setup, I shouldn’t fail but if I do I have my ip in the ignore ip list just in case.

[DEFAULT]
bantime = 7200m
findtime = 2880m
maxretry = 2
gnoreip = 127.0.0.1/8 1.1.1.1

[sshd]
enabled = true
maxretry = 1

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 1

Setting up a new apt repo

On a fresh install you may want to add additional repositories, in this case you may find this error message:

sudo: add-apt-repository: command not found

What a bummer…don’t worry though, all you need to do is install the software-properties-common package:

Starting in Ubuntu 20.04

sudo apt-get install software-properties-common

For older versions

sudo apt-get install software-properties-common \
    python-software-properties

Once this is installed you can go ahead add the new repo, run an apt-get update and finally install your new package.

Get Python3 and pip setup

On newer versions on Ubuntu (16.04 and newer), when trying to install pip this error message might popup.

from distutils.core import setup
ImportError: No module named distutils.core

In order to fix this error, we’ll need to install dist utils.

First, if it hasn’t been run already. Update the apt repositories.

sudo apt update

Next, install distutils

sudo apt install python3-distutils -y

Once this is installed, it should be possible to install pip or whatever caused this error message to begin with.

Setting up automatic updates (optional)

Keeping the system up to date can be a chore, this could be especially troublesome if you have anything else come up and you can’t get to this in a timely manner. Not to worry, you can set the system to apply security updates regularly.

I’ll update this in the near future with the steps to set this up.

Final Note

I just wanted to note, this isn’t an all encompassing guide but rather a quick starting point to make a brand new server a little bit more secure from all the evil out there in the big wide world. I hope you found this little tutorial helpful. If you happened to find an error or feel that I’ve missed something important, please contact me so I can fix it, I’ll add a link to you as a contributor as a sign of appreciation.

If you would like help getting your server setup, I am available for hire. Or, if you prefer. I also offer managed server hosting.