Ubuntu Server Setup With Basic Security

Dec 7, 2017

SSH Login

You should setup your server with SSH Keys and login via SSH.

ssh -i [FILENAME].pem [email protected][SERVER_IP_OR_DOMAIN_NAME]

Alternatively, you can follow this tutorial which store SSH Keys at default .ssh directory and connect to server via ssh [email protected][SERVER_IP_OR_DOMAIN_NAME].

If you are using DigitalOcean and didn't setup SSH Keys, follow this tutorial.

Create password for root

If you root doesn't have a password yet (e.g. login via SSH Key), create password for root.

passwd

Create new user

It is best practice to not use root user as login and perform tasks, thus we are encouraged to create a new user. Remember to enter password for this user.

adduser do-user

Since we need to do administrative tasks, we assign superuser/root priviledge to our new user account by adding it to sudo group which enable the use of sudo command.

usermod -aG sudo do-user

Setup SSH Keys for new user

Assuming SSH Keys is already setup for root user, execute the following command to enable login by SSH Keys for new user (by copying the SSH keys from root).

su do-usermkdir ~/.sshchmod 0700 ~/.sshsudo cat /root/.ssh/authorized_keys >> ~/.ssh/authorized_keyschmod 0600 ~/.ssh/authorized_keys

Now you can test login to server using the new user.

ssh -i [FILENAME].pem [email protected][SERVER_IP_OR_DOMAIN_NAME]

Assuming you don't have any SSH Keys setup on the server yet, create SSH keys to create on your local ubuntu machine (not server). Copy the content of .pub file into ~/.ssh/authorized_keys. Or you can follow this tutorial.

Disable password login

Since our new user (do-user) can login via ssh keys, we need to disable password login as good security practice (prevent hacker trying to bruteforce by trying to guess our password).

sudo nano /etc/ssh/sshd_config

This will disable login by password.

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

This will disable login by root user (since we will be using do-user from now on)

PermitRootLogin no

This will only allow do-user to login.

AllowUsers do-user

Make sure the following settings are correct.

PubkeyAuthentication yes
ChallengeResponseAuthentication no

Save the file. For those not familar with nano, Ctrl-X to exit, then ENTER to save.

Reload ssh for the changes to take effect.

sudo systemctl reload sshd

From now on, only do-user can login to this server (and root can't).

ssh -i [FILENAME].pem [email protected][SERVER_IP_OR_DOMAIN_NAME]

Setup firewall

UFW is a firewall configuration tool for iptables (a firewall).

sudo ufw allow OpenSSHsudo ufw enablesudo ufw status

I guess it won't hurt to enable ssh port.

sudo ufw allow ssh

❤️ Is this article helpful?

Buy me a coffee ☕ or support my work via PayPal to keep this space 🖖 and ad-free.

Do send some 💖 to @d_luaz or share this article.

✨ By Desmond Lua

A dream boy who enjoys making apps, travelling and making youtube videos. Follow me on @d_luaz

👶 Apps I built

Travelopy - discover travel places in Malaysia, Singapore, Taiwan, Japan.