Initial Server Setup with Ubuntu

PUBLISHED ON MAR 28, 2013 — TUTORIAL

Last Updated: 11th January 2015.


Overview

  1. Getting Ready
  2. Connecting to the Server
  3. Setting the Server’s Timezone
  4. Updating the Server
  5. Create a New User
  6. Setting Up SSH Keys
  7. Basic Security Setup
  8. Advanced Security Setup
  9. iptables Firewall
  10. Reboot Server when Out of Memory

Getting Ready

In this tutorial you will need to enter several commands in the terminal, most of these commands are simply copy-and-paste. However, there are some commands that will need to be modified by you.

For example, when you see a command that says:

ssh demo@<ip address>

Here you will have to replace <user> with your username on your server and <ip address> with your server’s IP address. So, if your username is demo and your server’s IP address is 192.67.87.564, then you will enter the following command:

ssh demo@192.67.87.564

Connecting to the Server

Mac Users: Open Terminal application on your Mac.

Windows Users: Since Windows doesn’t come with a pre-installed terminal therefore you will need to download PuTTY.

To connect to your server, open up Terminal/PuTTY and type in:

ssh root@<ip address>

This command launches the SSH program and asks it to connect to your server with the username root (default Ubuntu user). You will be prompted for the root password. If you don’t know the root password, then you will need to contact your hosting company and ask them about it.

Setting the Server’s Timezone

To set your server’s timezone, you need to reconfigure the tzdata package:

dpkg-reconfigure tzdata

Verify that the time and date is correct:

date

Updating The Server

Check for Updates:

apt-get update

Install all available updates:

apt-get upgrade -y

Create a New User

Add a new user:

adduser <username>

Add the newly created user to the sudoers group:

usermod -a -G sudo <username>

Adding the user to the sudoers group allows you to perform actions that require root privileges by simply prefixing sudo before any command.

Logout of the server:

exit

This will terminate your SSH connection to the server.

Setting Up SSH Keys

If you already have SSH keys on your system, then you can skip this step.

Generate SSH keys:

(Note: You need to run this command on you local computer - don’t run it on your server.)

ssh-keygen -t rsa

When prompted, just accept the default locations for the keyfiles. You’ll also want to choose a strong passphrase (password) for your key.

If you’re on a Mac, you can save the password in your keychain so you won’t have to type it in each time you login to your server.

Now you should have two keyfiles: id_rsa (private key) and id_rsa.pub (public key) in the ~/.ssh folder.

Copying the Public Key to the Server, again you need to run this on your local computer:

scp ~/.ssh/id_rsa.pub <username>@<ip address>:

Replace username with the user that you created earlier.

Now, login to your server using the new user:

ssh <username>@<ip address>

From now onwards whenever you need to login to your server, you should login as the user that you created, you should never login as root, not unless you absolutely have to.

On your server, run the following commands:

cd ~
mkdir .ssh
mv id_rsa.pub .ssh/authorized_keys
chown -R
user:user .ssh
chmod 700 .ssh
chmod 600 .ssh/authorized_keys

Basic Security Setup

This is very important step. Since all Ubuntu servers have a root user and most servers run SSH on port 22 (default SSH port). Hackers often try to guess the root password using automated attacks, in which the attacker tries to guess your password by trying thousands of password combinations. This is a common attack that many all servers face.

You can make things substantially more difficult for automated attackers by preventing the root user from logging in over SSH and changing your SSH port to something less obvious. You will still be able to login using the user that you created.

This should prevent the vast majority of automated attacks.

Open your SSH configuration file:

sudo nano /etc/ssh/sshd_config

Things that you need to change:

  • The value of Port from 22 to any number between 22 and 1000.
  • The value of PermitRootLogin from yes to no.

Save your changes.

Restart SSH for your changes to take effect:

sudo service ssh restart

Now, when you login into your server, you will also need to append the port number in the SSH command:

ssh <username>@<ip address> -p <new port number>

Advanced Security Setup

Fail2Ban is a security tool to prevent dictionary attacks. It works by monitoring important services like SSH and blocking IP addresses which appear to be malicious (IP addresses which are failing too many login attempts because they are guessing passwords).

Install Fail2ban:

sudo apt-get update
sudo apt-get install fail2ban

Configure Fail2Ban:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Things that you need to change:

  • Under [ssh] section:
    1. Change the value of port from ssh to the port number that you set earlier.
  • Under [ssh-ddos] section:
    1. Change the value of enabled from false to true.
    2. Change the value of port from ssh to the new port number.

Save your changes.

Restart Fail2Ban to put the new rules into effect:

sudo service fail2ban restart

iptables Firewall

Ubuntu ships with iptables which is the distribution’s default firewall. In order to make the server more secure, we will add some rules to the firewall.

The firewall should have no rules as of yet, you can check this using:

sudo iptables -L

Setup firewall rules in a new file:

sudo nano /etc/iptables.firewall.rules

Paste the following rules in to the new .rules file, don’t forget to change <port number> to the port number that you set earlier in the ssh configuration file:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow ports for testing
-A INPUT -p tcp --dport 8080:8090 -j ACCEPT

#  Allow ports for MOSH (mobile shell)
-A INPUT -p udp --dport 60000:61000 -j ACCEPT

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport <port number> -j ACCEPT

# Allow FTP
# Purely optional, but required for WordPress to install its own plugins or update itself.
-A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Save your changes.

Activate the firewall rules:

sudo iptables-restore < /etc/iptables.firewall.rules

Verify that the rules were installed correctly:

sudo iptables -L

You should see a different output this time.

Activate the firewall rules on startup:

sudo nano /etc/network/if-pre-up.d/firewall

Paste this in:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

Save your changes.

Set the script permissions:

sudo chmod +x /etc/network/if-pre-up.d/firewall

Reboot Server when Out of Memory

In cases where something goes awry, it is good to automatically reboot your server when it runs out of memory. This will cause a minute or two of downtime, but it’s better than suffering in the swapping state for potentially hours or days.

Open sysctl.conf file:

sudo nano /etc/sysctl.conf

Go to the end of the file and then paste this in:

# Reboot server on out-of-memory condition
vm.panic_on_oom=1
kernel.panic=10

Save your changes.

Thats it!


Credits

This post has been compiled from the following sources:

TAGS: UBUNTU