Setting Up a Basic Server with Ubuntu 16.04

in #linux6 years ago

enter image description here

This guide serves as the template for all my servers running Ubuntu 16.4. The default server installation needs additional configuration before being considered appropriate to use in production. Although it is popular to use automation tools nowadays, this guide does not. We will do everything by hand. This will be an artisanal server.

Prerequisites

This guide assumes that you this will be a remote server. This server should already have Ubuntu Server 16.04. This server needs to have an SSH server and you need have root access.

We will be using REMOTE_SERVER_IP as placeholder for the IP address of the remote server. We USER_NAME as the placeholder for your serves user name.

Remote Login

From your local computer connect to the remote server with ssh.

ssh  root@REMOTE_SERVER_IP

Update the Server

Update the software repositories.

apt-get update

Install updated software

apt-get upgrade

Nano

Unless you have confidence with another terminal editor, you should use nano. If nano is not already installed, you can install it easily.

apt-get install nano

Create a User

Running as root is discouraged. Instead we will create a new user with sudo privileges.

adduser USER_NAME

You will be asked to set the new user's password then a few other questions that can be left blank.

Now give this user sudo privileges.

usermod -aG sudo USER_NAME

Generate SSH Keys

If you already have SSH keys ready, skip this section.
On your local machine generate your pair of SSH keys.

ssh-keygen

You will be asked several questsion. Accept the default file location for the key. Answer the others as you wish.

Note: If you leave the passphrase blank, then your system will be less secure. Possession of the keys will be enough to gain access. Convenience is often the enemy of security.

Copy the Public Key

On your local machine copy your public SSH key to the remote server.

ssh-copy-id USER_NAME@REMOTE_SERVER_IP

Remember to use the password for the new user.

After the key has been successfully copied, log into the remote server as USER_NAME.

ssh USER_NAME@REMOTE_SERVER_IP

Harden SSH

We are going to reconfigure our SSH server by editing sshd_config.

sudo nano /etc/ssh/sshd_config

Check and make sure that public key authentication is enabled. Find the line that starts PubkeyAuthentication. Make sure it is set you yes.

PubkeyAuthentication yes

We want to disable password authentication. Find the line that starts PasswordAuthentication. Set this to no.

PasswordAuthentication no

We do not want root to be able to log in remotely. Find the line that starts PermitRootLogin. Set this to no

PermitRootLogin no

Reload the SSH server. This may cause you to lose your SSH connection.

sudo service ssh restart

If you would like a more info about securing SSH, please read my post Hardening SSH
.

Fail2Ban

Fail2Ban is great an intrusion prevention tool. It can watch the logs and temporarily IP address based on suspicions activity. We want fail2ban to watch our SSH logs. If an IP makes to many bad requests we will temporarily ban them.

sudo apt-get install fail2ban

Copy the configuration files.

sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the jail.local and enable monitoring of SSH.

sudo nano /etc/fail2ban/jail.local

Find the [ssh] section. Change enable to true.

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6 

Then restart the service.

sudo systemctl restart fal2ban

The Firewall

Install the Uncomplicated Firewall(UFW).

sudo apt-get install ufw

Your firewall configuration will change as you add server programs. This guide only cares about the SSH server.

sudo ufw allow ssh

Then enable the firewall.

sudo ufw enable

If you would like a more detailed guide to UFW check out my post, A Guide to the Uncomplicated Firewall (UFW) for Linux

Conclusion

If have followed this guide you will have a basic server that is just a bit more secure.

Sort:  

Hello @mr-rigden, upv0t3
This is a free service for new steemit users, to support them and motivate them to continue generating valuable content for the community.
<3 This is a heart, or an ice cream, you choose.

:)


R4ND0M:
3706 9805 9111 3028
4767 5207 3563 3339
4366 6097 3730 8325
7293 5737 9528 8006

Coin Marketplace

STEEM 0.35
TRX 0.12
JST 0.040
BTC 70753.86
ETH 3589.34
USDT 1.00
SBD 4.75