Blogpost

Published: 2020-06-13 - Updated: 2021-11-15

Config a fresh Ubuntu server

Abstract

Basic configuration you should apply to a new Ubuntu server installation in order to keep your server safe.

I recommend you using a unix shell for the next steps. On windows 10 you can install Ubuntu! I have tested the commands on Ubuntu 20.04 (server side). Now let's start by connecting to your server. If you are not logged as root user prefix the commands in this guide with "sudo " in case they not already have that prefix. You need root/sudo access for this tutorial. Now connect using ssh root@yourServerIP. Get in position.

This article is part of a series:

Server rack

Table of contents

Create a new sudo user

adduser userName creates a new user with name "userName" including a home directory, this command will also ask you for a password of your choice (!choose a strong password) and some additional personal data that you are allowed to skip by just hitting enter. In the end you have to confirm your input by typing "y" and hitting enter.

usermod -aG sudo userName will add your newly created user to the "sudo" group. This allows you to execute commands with extended rights by prefixing them with "sudo ".

You now can logout your ssh session using exit and login using ssh userName@IPAddress.

Why to do this?

You should not use the root user for your regular access to the server in order to not harm your system. Every script you execute with the root user has no restrictions of access to your system and can create a huge mess.

Change SSH port and disable root access via ssh

Caution, if the next steps are not executed carefully it is possible to lock you out from your server. This step is not as important as the others, if you want you can skip it.

  • open the ssh config file using sudo nano /etc/ssh/sshd_config
    • search for "PermitRootLogin yes" and change it to "PermitRootLogin no" in order to not allow root login via ssh
    • add the line "AllowUsers userName" in order to only allow ssh login for the user you created in the first step
      • if you want to allow multiple users: "AllowUsers userName anotherUser"
    • uncomment the line "#Port 22" by removing "#" and set the port to a privileged port in the range from 1-1024
      • the line could for example be "Port 1002"
      • it is good to choose a unassigned port from this page in order to avoid conflicts when using specific tools
      • to check if the port is available execute sudo lsof -i -P -n | grep LISTEN which gives you a list of the ports in use
  • now execute sudo service ssh reload in order to apply your changes
  • if you now run sudo lsof -i -P -n | grep LISTEN you should see that ssh is listening on the new port you chose, otherwise try service ssh restart and check again
  • from now on you need to use ssh -p yourPort userName@IPAddress to connect to the server

Why changing some ssh settings?

The changes you applied deny some default automated brute force attacks against your server.

Activate the firewall

sudo ufw allow thePortFromThePreviousStep/tcp this command is crucial in order to not lock you out once the firewall is up. If you chose port "1002" this command would look like "sudo ufw allow 1002/tcp". If you have skipped the previous step you can type sudo ufw allow ssh.

sudo ufw default deny incoming changes the default behaviour to deny incoming access.

sudo ufw enable enables the firewall. Answer with "y" and enter.

You should add rules to your firewall only when you really need to access a resource from the outside, you can also limit the access on a specific port to a defined ip address. Here you have an article that covers more on the rules you can define using ufw.

Why ufw?

The firewall protects your internal applications from access from the outside. Which is good!

Use a ssh key to connect to your server

On your local computer (works with windows cmd and unix shells!!) create a ssh key with ssh-keygen -b 4096 ("-b 4096" tells to create a 4096 bit key). When you are asked for a password you can enter one of your choice or leave it empty. When you enter it you have a even more secure access to your server where you need to additionally specify the password you choose here. So remember it!

Now we need to copy the public key to our server. On ubuntu this can be done using ssh-copy-id -p yourPort username@yourServerIP. More methods to copy the key can be found in the first article linked in the Sources ssh section. If you are using the default ssh port you can omit the "-p yourPort" part.

If you have left the password empty while creating the ssh key you should now be able to login to your server by just using ssh -p yourPort yourAccountName@yourServerIP, otherwise you are prompted to insert the password you chose. As before, if you not changed your ssh port you can omit the "-p yourPort" part.

If you have successfully logged in using your SSH key you can disable password logins by changing the following values in "/etc/ssh/sshd_config". But make sure you do not loose your SSH key (Backup)!!

PasswordAuthentication no

PubkeyAuthentication yes

Then restart ssh using service ssh restart.

(added: 2021-11-15, source).

Why ssh keys?

SSH keys are more secure than the average password. They are long and its not very likely to find them on any rainbow list. If you want to read more on this topic.

Sources ssh

Activate auto updates

Execute the following steps:

  • sudo apt install unattended-upgrades
  • sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
    • hint: you can search within nano by hitting "ctrl + w"
    • remove the double slashes "//" at the beginning of this line "//${distro_id}:${distro_codename}-updates", this is called uncommenting
    • remove them at the beginning of this line "Unattended-Upgrade::Mail "yourEmail@example.com";" and set your email in order to receive notifications about updates
    • uncomment the following lines
      • Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
        Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
    • uncomment this line "Unattended-Upgrade::Automatic-Reboot "false";" and change the value from "false" to "true" if you want the server to restart if required
    • if you chose "true" in the previous step uncomment this line and set the time you want the server to reboot: "Unattended-Upgrade::Automatic-Reboot-Time "02:00"";
    • hit "ctrl + x", type "y" to save changes and hit enter to exit
  • open the next file sudo nano /etc/apt/apt.conf.d/20auto-upgrades
    • add the following lines
      • APT::Periodic::Update-Package-Lists "1";
        APT::Periodic::Download-Upgradeable-Packages "1";
        APT::Periodic::AutocleanInterval "7";
        APT::Periodic::Unattended-Upgrade "1";
    • the time measures are held in days, feel free to adapt them
    • again save and exit
  • execute sudo unattended-upgrades --dry-run --debug in order to test if the auto updates work

Why auto updates?

Applying patches to your software is always a good idea in order to keep it as secure as possible.

Sources auto updates

List of shell commands

User commands

  • create a user with home directory sudo adduser userName
  • add a user to sudo group sudo usermod -aG sudo userName
  • delete a user and some of its data sudo userdel <userName> -r
    • the flag "-r" removes mail spool and home directory

ssh commands

  • connect via ssh ssh -p yourPort userName@IPAddress
  • create a ssh key ssh-keygen -b 4096
  • copy ssh public key to server ssh-copy-id -p yourPort username@yourServerIP

ufw commands

  • allow external connection to port sudo ufw allow yourPort
  • check status of firewall sudo ufw status verbose
  • deny all connections per default sudo ufw default deny incoming
  • enable firewall sudo ufw enable

Miscellaneous commands

  • list of ports in use - sudo lsof -i -P -n | grep LISTEN

Additional steps

Rate limitation

Rate limitation helps you to make brute force attacks a lot more difficult: https://askubuntu.com/a/32256 (added: 2021-11-15)

Links

Sources

Tags

#ubuntu #security #linux #tutorial