Ubuntu Server Setup – Security Best Practices

Filed Under: Ubuntu

Upon successful installation of your Debian / Ubuntu server, a few configuration steps are essential in enhancing the security and functionality of the server. In this guide, we will take you through the basic steps in the initial server setup of Debian 9 / Ubuntu 18.04 server. These basic steps will fortify your server and allow the execution of subsequent operations in a seamless manner.

Login as root user

The initial step in setting up your server is to log in as the root user. But first, you need to have your server’s IP address and the Password or a private key for authentication. To log in, open your Linux terminal and execute the command below. Be sure to substitute the server’s IP address with your IP address.

ssh user@ip-address

In this guide, we are using Ubuntu 18.04 server with a Public IP address 38.76.11.180.

To log in using ssh via the terminal, the command is

ssh root@38.76.11.180

If you are login in for the first time, you will be required to verify the server’s authenticity.

ubuntu server setup

Type ‘Yes’ and hit Enter. You will then be prompted for the server’s Password. Provide the correct Password and hit Enter.

ssh root login password

This will drop you into the server’s shell prompt as shown below

server login prompt

Great! Now that we have successfully logged in to our server, let’s move over to the second step

Create a New user

For best security practices, use of the root account for administrative tasks is highly discouraged. Why is that the case? Running your server as root leaves you prone to making unintentional and costly mistakes which may be detrimental to your server. You can easily do something harmful to your system which may cause irreversible damage to your system.

For this reason, we are going to create a new non-root user and later grant it administrative privileges. This way, every time you try to execute a root-level task, you will be prompted for the password. This will give you some time to pause and think about the consequences for executing the command and stop in your tracks if you notice a costly mistake in the command execution.

To create a new user run

adduser user_name

We are going to add a new user ‘james’

adduser james

You will be prompted for the user’s password and a few additional questions. provide the necessary information

Ubuntu add new login user

Perfect! to verify the creation of the user view the /etc/passwd and confirm the existence of the user.

cat /etc/passwd

Sample Output

verify creation of new user

The last line above displays information of the newly created user.

Grant Administrative privileges to the New user

So far the new user has regular account privileges. We need to setup root privileges to our newly created user so that they can perform administrative tasks by appending sudo before any operation.

To accomplish this, we need to add the user to the sudo group to avoid logging out and logging in as root every time when performing administrative tasks.

The syntax for achieving this is

usermod -aG sudo user_name 

In this case, the command for granting sudo privileges to user ‘james’ will be

usermod -aG sudo james

You can now log out and log in with the new user using the command as indicated earlier

ssh james@38.76.11.180

After successful login by verifying the authenticity of the server and providing the correct password, you can now you can execute any superuser tasks by preceding the command with sudo

For instance, to update the system using the account execute the command below

sudo apt update

You will be prompted for a password and after providing it, the operation will commence.

using sudo to update system

Configure a basic Firewall

Debian and Ubuntu servers use the UFW firewall to allow or deny traffic into or out of the server.

To view existing connection in the firewall execute

sudo ufw app list

As expected, OpenSSH will be displayed because we are currently using ssh to connect to the server

Output

ufw app list

To allow a connection via the firewall, execute the following command.

ufw allow service_name

For example, to allow SSH connections for a new server run:

sudo ufw allow OpenSSH

Output

allow ssh connections ufw

To open a specific port on the firewall, use the syntax

sudo ufw allow port/protocol

For example

sudo ufw allow 80/tcp

Output

allow port 80 ufw

To check the status of the firewall execute

sudo ufw status

Output

ufw status inactive

To enable the firewall, run the following command.

sudo ufw enable

When prompted type yes and press ‘ENTER’ to enable the firewall and effect the changes

enable ufw firewall

To view the status of the firewall again and existing connections/open ports, execute the command

status of ufw firewall

Enable Passwordless authentication for the new user

At the moment, we are connecting to our server using the SSH protocol with password authentication. For best security practices, setting up of SSH keys without password authentication is highly recommended. SSH keys come in a pair: a public key and a private key.
The Private key resides on the client machine while the public key resides on the server we are connecting to. Once the SSH key authentication is set up, Password authentication should be disabled. This ensures that only the user with the private key can connect to the server on which the public key resides.

Step 1. Generate the public key

To generate the key pair, run the command below on the client machine

ssh-keygen

You will get the output as shown

file to save ssh key pair

Hit ENTER to save the key pair is .ssh/ subdirectory in your home directory. Alternatively, you can specify your own path.

Next, you will be prompted for a secure passphrase which is highly recommended to add an extra protective layer. If you wish to do without a passphrase, hit ENTER.

enter passphrase

Finally, you will get the following output

ssh key generated

At this point, you have both the private and public key. They have been saved in the .ssh directory in your home directory. In this case, the path is /root.ssh

cat /root/.ssh

Output

public and private keys

id_rsa is the private key

id_rsa_pub is the public key

Step 2. Copy the Public Key

To copy the public key to the server, we are going to use the ssh-copy-id command.

The Syntax will be

ssh-copy-id user@remote-server

In this case, we shall execute

ssh-copy-id james@38.76.11.180

You will get output similar to the one below

login using public ssh key

The id_rsa.pub key which is the public key has been copied to the server.

Now if you try logging in using the syntax ssh user@server-ip , you will not be prompted for a password!

Disable Password authentication

Someone can still log in to our server if they got hold of the password. To eliminate this risk, we need to disable SSH password authentication.

To achieve this, we are going to open SSH’s configuration file

sudo vim /etc/ssh/sshd_config

Search for the section indicated as PasswordAuthentication .

Comment out the line and set the value to no

Save and Exit.

To implement the changes restart the SSH daemon

sudo systemctl restart ssh

Now you can launch a new terminal and try to log in using the password and see whether Password authentication has been disabled.

Final word

At this point, you should have access to the server using SSH-key based authentication configured on your remote server and not using the SSH password.

Your server is now fully set up and has a solid security foundation. Ensure to keep your public key safe. Away from prying eyes 😀

Leave a Reply

Your email address will not be published. Required fields are marked *

close
Generic selectors
Exact matches only
Search in title
Search in content
Search in posts
Search in pages