Initial Server Setup with Ubuntu 18.04

Introduction

In this tutorial, we will cover how to set up your Ubuntu 18.04 based server and harden its security. This will increase the usability and security of your server and will give you a solid foundation for any future tasks you need to perform.

Prerequisites

• A server with Ubuntu 18.04 installed

Step 1: Log in via SSH

When you create your server, Snel sends you an email with your default username, password, and server IP address. Use those credentials to log in to your server for the first time.

If you are not familiar with the process then take a look at our How to connect to your server with SSH tutorial.

Step 2: Change password

You need to change the default password allotted to you by Snel. Use the following command to do that.

$ passwd

You will be asked for your current password first.

Step 3: Create a new Sudo user

Whether you are logged in as a root user or the default user which Snel gave you, it is always a best practice to create a new user with sudo privileges. Your Snel user-id also has sudo privileges.

Note: – Root user is very powerful with very broad privileges. You should use it only when it is absolutely necessary. For all other purposes, we will use a regular account with superuser privileges. This way you can perform administrative tasks using a regular user account by appending sudo in front of any command.

Use the following command to create a new user. You can replace sneluser with a username you like.

$ sudo adduser sneluser

You can omit using sudocommand if you are logged in as root user.

You will be asked several questions, starting with the account password. Enter a strong password and fill in any of the information if you like. The extra information is entirely optional and you can just hit ENTER to skip through them.

client_xxxxx_x@vps:~$ sudo adduser sneluser
Adding user `sneluser' ...
Adding new group `sneluser' (1001) ...
Adding new user `sneluser' (1001) with group `sneluser' ...
Creating home directory `/home/sneluser' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for sneluser
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y

Use the following command to give your newly created account sudo privileges.

$ sudo usermod -aG sudo sneluser

Step 4: Update your server

It is important that you keep your server updated at all times. Run the following command to update the package lists on your server which store information on how and from where to download software packages.

$ sudo apt update

Now, install the package upgrades.

$ sudo apt upgrade

Note: You may be asked if you want to use an updated config file or keep the current one. Always choose the keep the local version currently installed option.

Step 5: Set the timezone

It is beneficial if your server operates in the same timezone as you are. Run the following command to get a list of all available time zones.

$ timedatectl list-timezones

Press ENTER to scroll through the list and enter q when you reach the end to exit the command.

You can also grab the list from here.

Once you have identified your timezone, set it using the following command.

$ sudo timedatectl set-timezone Europe/Amsterdam

You can confirm the new timezone by using the following command.

$ date
Tue Mar  3 08:55:31 CET 2020

Step 6: Set up the Firewall

Ubuntu 18.04 comes with UFW(Uncomplicated Firewall) firewall installed by default.

Before enabling the firewall, we need to set proper rules. If you enable the firewall before setting any rules, you will get locked out of your own server.

The first step is to set up default policies. These rules control how to handle the traffic that does not match any other rules. By default, UFW is set to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your server can’t connect to it while any application on your server can reach the outside world.

Use the following commands to set UFW’s default policies.

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

Now that our default policy is set, let’s allow the default SSH port. Run the following command.

$ sudo ufw allow ssh

Different applications register themselves by their name with UFW. Hence, it knows that SSH here refers to port 22. You can also use the following command to achieve the same effect.

$ sudo ufw allow 22

It is time to enable the firewall.

$ sudo ufw enable

You will be asked for confirmation. Enter y since we have already enabled SSH.

You can check the status of the firewall by using the following command.

$ sudo ufw status verbose

You should see a similar output.

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)

You can omit the verbose tag from the command. That way, you will only be shown the open ports and protocols.

Step 7: Set the Hostname

First, check your existing hostname using the following command.

$ hostnamectl

You should see a similar output.

   Static hostname: vps.snelexample.site
         Icon name: computer-vm
           Chassis: vm
        Machine ID: f0824f3916f24a298d6b2c10dc8c68fb
           Boot ID: 5c4ef23bc3dd4d39943e89d4563674c7
    Virtualization: kvm
  Operating System: Ubuntu 18.04.4 LTS
            Kernel: Linux 4.15.0-88-generic
      Architecture: x86-64

To set up a hostname, use the following command.

$ sudo hostnamectl set-hostname host.snelexample.site

Replace host.snelexample.site with your actual hostname. Preferably, it should be an FQDN(Fully qualified domain name). But if you are not sure, you can always use a custom label to identify the server.

Next, you need to resolve your hostname to your server. This can be done by editing the /etc/hosts file. Use the following command to open the hosts file in Nano text editor.

$ sudo nano /etc/hosts

Append your hostname at the end of the line that starts with 127.0.0.1 like this.

127.0.0.1 	localhost host.snelexample.site

Close the editor by pressing Ctrl + X and entering y when asked for confirmation to save the updated file.

Step 8: Log in as a new user

Exit from your current session by using the logout command and log in again via SSH using the new user you just created.

$ ssh [email protected]

Replace 192.168.0.1 with the actual IP address of your server.

Step 9: Disable Root login via SSH

This is a very important step in securing your server from brute force attacks. Let us check the current status of SSH root login by using the following command.

$ sudo cat /etc/ssh/sshd_config | grep PermitRootLogin

This is a set of two commands. grepcommand searches for the string PermitRootLogin in the file /etc/ssh/sshd_config and catcommand outputs it to the terminal.

You might see a similar output.

PermitRootLogin without-password
# the setting of "PermitRootLogin without-password".

Here, it is set without a password. This means public-key authentication is enabled. Make sure, it should not be commented out or not set to yes.

To completely disable the root login via SSH, edit the config file by using the following command.

$ sudo nano /etc/ssh/sshd_config

Change the line containing PermitRootLogin as below.

PermitRootLogin no

Save the file by pressing Ctrl + W and entering Y when prompted.

Restart the SSH server to apply the changes.

$ sudo systemctl restart sshd

You can check by logging out and try logging back in as root user. The server will refuse.

Step 10: Change SSH Port (Optional)

This step is entirely optional but is considered a good security aspect. Changing the default SSH port(22) prevents malicious bots to try logging into your server. To change the port, open the SSH configuration file again by using the following command.

$ sudo nano /etc/ssh/sshd_config

Find the line which says the following.

#Port 22

Uncomment the line by removing the hash and change the value into any port between 1024 and 65535. Here we are using port 2254.

Port 2254

Save the file by pressing Ctrl + W and entering y when prompted.

We will also need to allow this new port in our firewall. Open port 2254using UFW.

$ sudo ufw allow 2254

Since, we no longer the default port, we can delete it from our firewall’s list.

$ sudo ufw delete allow ssh

Restart the SSH server to apply the changes.

$ sudo systemctl restart sshd

Reload the firewall to apply the new settings.

$ sudo ufw reload

Now, you won’t be able to log in via SSH without specifying a port. Modify your SSH command as follows to login via the changed port.

$ ssh -p 2254 [email protected]

Step 11: Reboot Server

This is the last step. Now that we have installed and upgraded packages, the server needs to be rebooted to apply some of those changes. Use the following command to reboot your server.

$ sudo reboot

Conclusion

This concludes our tutorial regarding setting up of Ubuntu 18.04 based server where we learned how to add a new sudo user, updated packages, configured firewall, timezone, and hostname. We also hardened our SSH server against common malicious attacks.