Initial Server Setup on Ubuntu 16.04 [Enhancing Server Security]

Last Updated on: 

When I was writing the guide about setting up ClassicPress/Wordpress on Ubuntu, I discovered there should be a proper initial configuration for your new Ubuntu Image, which not only help in tightening your server security but also help in increasing the reliability of the server.

Prerequisite

You need to be able to access the terminal via SSH. If you are coming from the guide I linked to above, you don’t have to do anything, just follow on, and if otherwise, please go to the section in Creating a Droplet on DigitalOcean/Creating an SSH in this guide:
How To Setup ClassicPress on Ubuntu 16.04 Using VestaCP at Digital Ocean

Let’s get started…

Step 1: Login as Root

To login as root, You will need to know your server’s public IP address and your password.

If you are using an SSH key for authentication, you will need the private key, and the passkey for the SSH Key, which is covered in Connecting Your Droplet With Putty on Windows, If you are on Mac or Linux, follow this guide instead: How to Connect to your Droplet with OpenSSH

Putty prompting for passkey of user root ↑
Successfully logged in as root  ↑

The root user is the default administrative user in a Linux environment system that has the most superior privileges. The best practice is to disallow root to log in over SSH or password and create a new user that would act in place of the root, you will still be able to perform the root privileges with some steps in place.

The main reason why you shouldn’t use root is that there are lots of bots that try to take advantage of the root, they try guessing if you are using the root user and then they enter some guessed password. I see this in my logs every time.

Let’s create a new user…

Tips: Don’t use a generic username like “admin” “administration”, “mum”, “dad”, “love”, etc, choose something unique

Step 2: Create a new user With Sudo Privileges

First, log in as root, which we’ve done above.

Add a new user, I will be using “nothingcomeseasy20”

adduser nothingcomeseasy20

You will be prompted to create a new Unix Password for the new user, use Password generator to generate a complex password:

Create a new user and input password
You will be asked to retype the passkey for verification

Add your details, the only thing I fill is my name, I keep entering enter for the other fields, when you are done, enter Y to verify your details:

Add new details
fill your name

Once your new user is created, let’s add sudo privileges, this way we can perform administrative tasks with the sudo command, this is also known as a superuser or root privileges for the new user account.

Give it a superuser privileges by running the following command:

usermod -aG sudo nothingcomeseasy20

Remember to replace nothingcomeseasy20 user with your own user.

You should only log into your ubuntu server using this new user.

Before we do, let’s create a new ssh key for the new user

Step 3: Create a New SSh Key for The New User (Recommended)

It is highly recommended you set up a public ssh key for your new user, this would make your server secure.

I am on windows, so, I will be using Putty.

Search for PuTTYgen or locate it inside this folder: C:\Program Files\PuTTYand open puttygen.exe

Go to this folder on a 32-bit system: C:\Program Files (x86)\PuTTY

Open PuTTY gen

Click Generate and move your mouse randomly over the blank area. This is called the entropy of mouse motion, bring in thousands of users, and no one would ever predict your mouse movement, this means no one can reproduce your keys. If you are curious you can read this StackExchange answer .

Your key looks like this, once it is generated:
The generated ssh key alt

The good thing is that you can also password protect your ssh key, by filling the Key passphrase field, this way, when someone gains access to your computer, they will need to provide a passphrase to access it and on top of that, you must provide this passphrase every time you use this key.

Note: Don’t use a simple password or password you’ve used elsewhere, use something stronger, you can generate one here: Password generator

Once generated, store the password inside a private book at home, No, don’t keep it on your PC.

Save your Private Keys in a folder in your local computer:

Save private key

We are getting there!

Copy the Public Key and follow the next step:
Copy Public Key

There are different way to copy the public key to your server, let’s go with a simpler method:

login as root, and switch to the newly created user. In my case, it is nothingcomeseasy20

su - nothingcomeseasy20

You should see something like this if you successfully switched to the new user:

3. Swicth root to new user
You can see the new user as replaced root ↑

Now, create a new directory called .ssh and restrict its permissions using the following command:

mkdir ~/.ssh
chmod 700 ~/.ssh

mkdir – this means, make a new directory called .ssh 

~/ – This means the home directory

chmod 700 – the new user nothingcomeseasy20 can read, write and execute

The next step is to copy the public key we generated from putty into file authorized_key in the .ssh directory.

Go into .ssh directory using:

cd .ssh

create .authorized_keys & open authorized_keys file: (Note: You don’t have to create a new file, using the below command would automatically do it for you)

nano ~/.ssh/authorized_keys

Paste the public key you generated from putty in the file: (Make sure you copy everything from Top to down in the Public Key box below)

5. paste the publick you created in putty to authorized_keys file

Use Ctrl + X to exit, then press Y to save and lastly press the enter key to confirm.

Now, restrict the authorize_keys permission with the following command:

chmod 600 authorized_keys

You might get directory not found if you copy and paste the command above, type the above command by hand instead.

Return to the root user by typing the exit command:

6. Return to root user

Now, let’s create a new session with the new key in Putty, close the current terminal and open Putty:

    1. Open PuTTy: Locate it inside this folder: C:\Program Files\PuTTY and open putty.exe, if you are on a 32-bit system, goto this folder C:\Program Files (x86)\PuTTY and open putty.exe
      27. Open PuTTy
      Open Putty.exe ↑

       

      28. Putty opened
      Putty window ↑
    2. Copy The Droplets IP: Copy your droplet IP address in the control panel, and paste it in the putty IP field:
      29. Copy Droplet IP
      Copy droplet IP in Digitalocean control panel ↑

      30. Paste Droplet Ip to Putty
      Paste it in the field Hostname ↑
    3. Add SSH Key: Add the private ssh key we generated in putty
      31. Add the ssh authentication
      Add ssh authentication ↑

      7. Open Private Key
      select private key we generated from putty the other time ↑
    4. Add New User: Let’s add the new user to the Auto-login username field

      8. add the new user name
      Type in your new username ↑
    5. Lastly: Save your session for recurrent loginSave the new session

Once you are done with the above steps, you can open up putty and select your new session to access your server.

Let’s try to connect the new session:

Open putty and open the new session: Mine is nothingcomeseasy session:

10. Refused to login to new user

The reason why you would likely see this error is that the .ssh directly is still owned by the root administrator,

login as root and switch the user to your new user using:

su - nothingcomeseasy20

let change the new owner to our new user: using the following command:

chown nothingcomeseasy20:nothingcomeseasy20 ~/.ssh/authorized_keys -R

or

sudo chown -R nothingcomeseasy20:nothingcomeseasy20 ~/.ssh

You might get directory not found if you copy and paste the command above, type the above command by hand instead.

Now, try logging in again with the new user session

11. Input new user password
Enter the new user passkey ↑

Step 4: Disable Password Authentication

Since we can now login our new user with an ssh key, there is no point using a password, let’s disable it.

Login to your server with the new user and open the sshd_config

sudo nano /etc/ssh/sshd_config

You might be prompted to verify the user, enter your passkey and you should be presented with the below image:

12. open sshd_config
SSHD_CONFIG ↑

Press Ctrl + W and paste in PasswordAuthentication to find the line:

13. Find password auth

Change it’s value to no, most times, it is changed by default, but it doesn’t hurt to cross-check:

14. Change Password auth to No

Use Ctrl + X to exit, then press Y to save and lastly press the enter key to confirm.

Restart sshd:

sudo systemctl reload sshd

Step 5: Disable root login with SSH

As said above, it is a best practice to disable root:

Open sshd_config using:

sudo nano /etc/ssh/sshd_config

Find this line: PermitRootLogin yes

and change it to: PermitRootLogin no

Restart the SSH daemon with: sudo service ssh restart

Lastly, let’s finally set up a basic firewall to further secure our server:

Step 6: Setup The Ufw firewall in Ubuntu

By setting up a firewall, we would be able to control incoming and outgoing connections made to our server. By default, Ubuntu comes preloaded with an app that helps in configuring the firewall, it is known as ufw (uncomplicated firewall).

OpenSSH is the service that allows us to connect to our server, let us tell the firewall to allow SSH connections, so we won’t be locked out of our server:

sudo ufw allow OpenSSH

If you get “-bash: ufw: command not found” it means ufw isn’t installed, install it using the following command: sudo apt-get install ufw and then you retry the above command.

15. allow openssh
You can see the Rule as been Updated ↑

Now, enable the ufw firewall using sudo ufw enableand enter y to proceed:

16. enable ufw

Check the ufw status, and see the server allow to run:

sudo ufw status

 

ufw status
ufw status ↑

Congratulation, you are finally done with the initial server setup, you can go on to install other services, control panel, and anything related in setting up your website/app.

Comment policy: Respectful and beneficial comments are welcome with full open hands. However, all comments are manually moderated and those that doesn't relate with what the passage is saying or offensive comments would be deleted. Thanks for understanding!

Leave a Reply

Your email address will not be published. Required fields are marked *

css.php