Upon successful installation of your Debian / Ubuntu server, a few configuration steps are essential in enhancing the security and functionality of the server. In this guide, we will take you through the basic steps in the initial server setup of Debian 9 / Ubuntu 18.04 server. These basic steps will fortify your server and allow the execution of subsequent operations in a seamless manner.
Table of Contents
Login as root user
The initial step in setting up your server is to log in as the root user. But first, you need to have your server’s IP address and the Password or a private key for authentication. To log in, open your Linux terminal and execute the command below. Be sure to substitute the server’s IP address with your IP address.
In this guide, we are using Ubuntu 18.04 server with a Public IP address
To log in using ssh via the terminal, the command is
If you are login in for the first time, you will be required to verify the server’s authenticity.
Type ‘Yes’ and hit Enter. You will then be prompted for the server’s Password. Provide the correct Password and hit Enter.
This will drop you into the server’s shell prompt as shown below
Great! Now that we have successfully logged in to our server, let’s move over to the second step
Create a New user
For best security practices, use of the root account for administrative tasks is highly discouraged. Why is that the case? Running your server as root leaves you prone to making unintentional and costly mistakes which may be detrimental to your server. You can easily do something harmful to your system which may cause irreversible damage to your system.
For this reason, we are going to create a new non-root user and later grant it administrative privileges. This way, every time you try to execute a root-level task, you will be prompted for the password. This will give you some time to pause and think about the consequences for executing the command and stop in your tracks if you notice a costly mistake in the command execution.
To create a new user run
We are going to add a new user ‘james’
You will be prompted for the user’s password and a few additional questions. provide the necessary information
Perfect! to verify the creation of the user view the
/etc/passwd and confirm the existence of the user.
The last line above displays information of the newly created user.
Grant Administrative privileges to the New user
So far the new user has regular account privileges. We need to setup root privileges to our newly created user so that they can perform administrative tasks by appending
sudo before any operation.
To accomplish this, we need to add the user to the sudo group to avoid logging out and logging in as root every time when performing administrative tasks.
The syntax for achieving this is
Copyusermod -aG sudo user_name
In this case, the command for granting sudo privileges to user ‘james’ will be
Copyusermod -aG sudo james
You can now log out and log in with the new user using the command as indicated earlier
After successful login by verifying the authenticity of the server and providing the correct password, you can now you can execute any superuser tasks by preceding the command with
For instance, to update the system using the account execute the command below
Copysudo apt update
You will be prompted for a password and after providing it, the operation will commence.
Configure a basic Firewall
Debian and Ubuntu servers use the UFW firewall to allow or deny traffic into or out of the server.
To view existing connection in the firewall execute
Copysudo ufw app list
As expected, OpenSSH will be displayed because we are currently using ssh to connect to the server
To allow a connection via the firewall, execute the following command.
Copyufw allow service_name
For example, to allow SSH connections for a new server run:
Copysudo ufw allow OpenSSH
To open a specific port on the firewall, use the syntax
Copysudo ufw allow port/protocol
Copysudo ufw allow 80/tcp
To check the status of the firewall execute
Copysudo ufw status
To enable the firewall, run the following command.
Copysudo ufw enable
When prompted type
yes and press ‘ENTER’ to enable the firewall and effect the changes
To view the status of the firewall again and existing connections/open ports, execute the command
Enable Passwordless authentication for the new user
At the moment, we are connecting to our server using the SSH protocol with password authentication. For best security practices, setting up of SSH keys without password authentication is highly recommended. SSH keys come in a pair: a public key and a private key.
The Private key resides on the client machine while the public key resides on the server we are connecting to. Once the SSH key authentication is set up, Password authentication should be disabled. This ensures that only the user with the private key can connect to the server on which the public key resides.
Step 1. Generate the public key
To generate the key pair, run the command below on the client machine
You will get the output as shown
Hit ENTER to save the key pair is
.ssh/ subdirectory in your home directory. Alternatively, you can specify your own path.
Next, you will be prompted for a secure passphrase which is highly recommended to add an extra protective layer. If you wish to do without a passphrase, hit ENTER.
Finally, you will get the following output
At this point, you have both the private and public key. They have been saved in the
.ssh directory in your home directory. In this case, the path is
id_rsa is the private key
id_rsa_pub is the public key
Step 2. Copy the Public Key
To copy the public key to the server, we are going to use the
The Syntax will be
In this case, we shall execute
You will get output similar to the one below
id_rsa.pub key which is the public key has been copied to the server.
Now if you try logging in using the syntax
ssh user@server-ip , you will not be prompted for a password!
Disable Password authentication
Someone can still log in to our server if they got hold of the password. To eliminate this risk, we need to disable SSH password authentication.
To achieve this, we are going to open SSH’s configuration file
Copysudo vim /etc/ssh/sshd_config
Search for the section indicated as
Comment out the line and set the value to no
Save and Exit.
To implement the changes restart the SSH daemon
Copysudo systemctl restart ssh
Now you can launch a new terminal and try to log in using the password and see whether Password authentication has been disabled.
At this point, you should have access to the server using SSH-key based authentication configured on your remote server and not using the SSH password.
Your server is now fully set up and has a solid security foundation. Ensure to keep your public key safe. Away from prying eyes 😀