For this tutorial, I am assuming you have just set up a fresh server running Ubuntu Linux 20.04 LTS, and you are able to open a terminal and SSH into a command prompt as the root user.
Placeholder | Description |
---|---|
SERVER-IP | Replace this with the ip number of your server |
HOSTNAME | This is the hostname of your server. so, for example, if this will be www.yourdomain.com, consider using simply www |
ROOTPASS | Replace this with the password for your root user |
MYUSER | Replace this with the username you will use for normal logins to the server "Bob, Joe, Linda, etc" |
MYPASS | Replace this with the password you create for MYUSER |
If you are looking for a good VPS server that offers more for less, have a look at Interserver VPS Servers, starting at $6.00 per month
For the purposes of security, please be in the habit of creating a different password for every account or login you make. I would ask that you make your passwords 32 characters long, using a mixture of uppercase, lowercase, numbers and symbols.
Example: | 2oHm7Vmp*mbiaLgV6RmCbdX_qRzm4pk |
---|
Do not use this password!
If you are not already connected to your server, log in now as the root user using the following command (substitute the highlighted portion of the command with your server’s public IP address):
$ ssh root@server-ip
Now let's make sure everything is updated on your server:
$ apt update && apt upgrade -y
This may take some time, and you may see a message that says System restart required when it finishes. If so, type in reboot
, followed by [ENTER]. Wait a few minutes, then log back in via SSH to continue.
To start let's configure the hostname:
$ nano /etc/hosts
At the top of the file, you probably only see this:
127.0.0.1 localhost
Change it to:
127.0.0.1 localhost.localdomain localhost
127.0.0.1 HOSTNAME
Based on the table at the top of this page, replace HOSTNAME with whatever you wish to you. Example: www, or dev, etc Now save the file by hitting [CTRL-X] then Y, then [ENTER]
Most of us want the time on our server to be the same time zone that we are in. To set it, run the following command:
$ dpkg-reconfigure tzdata
Start by picking the general geographic area, example "America" then hit [ENTER]. Now scroll until you find a city that is in your time zone. Example "New York" and hit "[ENTER]" again. Finally, run the following command:
$ timedatectl
You should see output similar to the following:
Local time: Wed 2022-01-26 15:18:58 EST
Universal time: Wed 2022-01-26 20:18:58 UTC
RTC time: Wed 2022-01-26 20:18:58
Time zone: America/New_York (EST, -0500
System clock synchronized: yes
NTP service: act
Note that in my example, it says America/New_York (EST, -0500) on the fourth line. For you, it should show the timezone you selected, and the frst line should show the correct time (in Military Time) and date for your local timezone.
The default root user in Linux is the administrative user. that has absolute privileges. Because of this, it is a very, very bad idea to use that account unless absolutely necessary, and we want to make it very difficult for a possible hacker to get in as the root user. So we will make a new account right away for all of the workl we will be doing. Keep in mind, you will be able to get temporarily root privileges with the account we are making when you absolutely need them.
Right now, let's make a very strong password for the root user. Refer to the password advice above.
$ passwd root
You will now be asked for a pasword. Enter the password you just created, hit enterm, and then enter it again to verify. Later in this tutorial, we will refer thos this password as ROOTPASS.
Now let's make sure everything on our server is up to date.
$ apt update && apt upgrade -y
As noted above, the new user we will create will be called MYUSER. You can make it whatever you want, but it is best not to make it too easy to guess. Similarly, below we will say MYPASS for the password you create for this user.
$ adduser MYUSER
Now enter the password you created and answer the questions as follows:
New password: MYPASS
Full Name []: (enter anything you like or leave blank and hit enter)
Room Number []: (enter anything you like or leave blank and hit enter)
Work Phone []: (enter anything you like or leave blank and hit enter)
Home Phone []: (enter anything you like or leave blank and hit enter)
Other []: (enter anything you like or leave blank and hit enter)
Is the information correct? [Y/n] Y
Our new account has very basic privileges, but we will need to do administrative tasks. Since we never want to log in as the root user, we will give root privileges (superuser) to this account. Once we have this, when we enter sudo before any command, we will be running it with administrative privileges.
So we want to add out user to the sudo group while we are still logged in as the root user.
$ usermod -aG sudo MYUSER
We will use the UFW firewall on our Ubuntu 20.04 server. This will assure only connections to services we want available to the public are allowed. Since we are using SSH to get into our server, we need to make sure SSH is allowed.
$ ufw allow OpenSSH
Now we need to simply turn on the firewall;
$ ufw enable
You will be asked for a confirmation. Type y and then enter.
Now let's make sure it worked:
$ ufw status
You should see the following output:
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
This means that our server is now blocking all connections except SSH. later on we will add more permissions to ufw firewall as we need them.
If when you logged into your root account, you needed a password, you should be able to open a new terminal window and login similarly with your new user. Do not close the terminal window your root user is logged in with yet!
$ ssh MYUSER@SERVER-IP
If you were asked for a password, and you entered what you selected for MYPASS, and got in, you are set for now. However, this is not a very secure way to log in, and you should consider learning how to login using SSH keys.
A tutorial for that can be found here: Ubuntu 20.04 How to Set Up SSH Keys
If you were able to login as root without a password, you are probably already setup with SSH Key Authentication. That's great, but we need to make sure your new user can get in that way as well, because in our Ubuntu 20.04 - Hardening tutorial, we will set up your server so that people cannot login with a password.
Again, if you logged into root without a password, your public key is in the root user's ~/.ssh/authorized_keys
file. We will copy that to our new account.
rsync --archive --chown=MYUSER:MYUSER ~/.ssh /home/MYUSER
Don't forget to replace MYUSER with the username you created.
now open a new terminal window and try to login with your new user account.
$ ssh MYUSER@SERVER-IP
OK, you now have a basic setup. Assuming you are able to login with your new account, you can log out of your root account and proceed to the next tutorial: Ubuntu 20.04 - Hardening In this tutorial, we will change many settings to make it extremely difficult for a hacker to breach your server.