Upon successful installation of your Debian / Ubuntu server, a few configuration steps are essential in enhancing the security and functionality of the server. In this guide, we will take you through the basic steps in the initial server setup of Debian 9 / Ubuntu 18.04 server. These basic steps will fortify your server and allow the execution of subsequent operations in a seamless manner.
Login as root user
The initial step in setting up your server is to log in as the root user. But first, you need to have your server’s IP address and the Password or a private key for authentication. To log in, open your Linux terminal and execute the command below. Be sure to substitute the server’s IP address with your IP address.
|
1 |
ssh user@ip-address |
In this guide, we are using Ubuntu 18.04 server with a Public IP address 38.76.11.180.
To log in using ssh via the terminal, the command is
|
1 |
ssh root@38.76.11.180 |
Type ‘Yes’ and hit Enter. You will then be prompted for the server’s Password. Provide the correct Password and hit Enter.
This will drop you into the server’s shell prompt as shown below
Great! Now that we have successfully logged in to our server, let’s move over to the second step
Create a New user
For best security practices, use of the root account for administrative tasks is highly discouraged. Why is that the case? Running your server as root leaves you prone to making unintentional and costly mistakes which may be detrimental to your server. You can easily do something harmful to your system which may cause irreversible damage to your system.
For this reason, we are going to create a new non-root user and later grant it administrative privileges. This way, every time you try to execute a root-level task, you will be prompted for the password. This will give you some time to pause and think about the consequences for executing the command and stop in your tracks if you notice a costly mistake in the command execution.
To create a new user run
|
1 |
adduser user_name |
We are going to add a new user ‘james’
|
1 |
adduser james |
You will be prompted for the user’s password and a few additional questions. provide the necessary information
Perfect! to verify the creation of the user view the /etc/passwd and confirm the existence of the user.
|
1 |
cat /etc/passwd |
Sample Output
The last line above displays information of the newly created user.
Grant Administrative privileges to the New user
So far the new user has regular account privileges. We need to setup root privileges to our newly created user so that they can perform administrative tasks by appending sudo before any operation.
To accomplish this, we need to add the user to the sudo group to avoid logging out and logging in as root every time when performing administrative tasks.
The syntax for achieving this is
|
1 |
usermod -aG sudo user_name |
In this case, the command for granting sudo privileges to user ‘james’ will be
|
1 |
usermod -aG sudo james |
You can now log out and log in with the new user using the command as indicated earlier
|
1 |
ssh james@38.76.11.180 |
After successful login by verifying the authenticity of the server and providing the correct password, you can now you can execute any superuser tasks by preceding the command with sudo
For instance, to update the system using the account execute the command below
|
1 |
sudo apt update |
You will be prompted for a password and after providing it, the operation will commence.
Configure a basic Firewall
Debian and Ubuntu servers use the UFW firewall to allow or deny traffic into or out of the server.
To view existing connection in the firewall execute
|
1 |
sudo ufw app list |
As expected, OpenSSH will be displayed because we are currently using ssh to connect to the server
Output
To allow a connection via the firewall, execute the following command.
|
1 |
ufw allow service_name |
For example, to allow SSH connections for a new server run:
|
1 |
sudo ufw allow OpenSSH |
Output
To open a specific port on the firewall, use the syntax
|
1 |
sudo ufw allow port/protocol |
For example
|
1 |
sudo ufw allow 80/tcp |
Output
To check the status of the firewall execute
|
1 |
sudo ufw status |
Output
To enable the firewall, run the following command.
|
1 |
sudo ufw enable |
When prompted type yes and press ‘ENTER’ to enable the firewall and effect the changes
To view the status of the firewall again and existing connections/open ports, execute the command
Enable Passwordless authentication for the new user
At the moment, we are connecting to our server using the SSH protocol with password authentication. For best security practices, setting
up of SSH keys without password authentication is highly recommended. SSH keys come in a pair: a public key and a private key.
The Private key resides on the client machine while the public key resides on the server we are connecting to. Once the SSH key authentication is set up, Password authentication should be disabled. This ensures that only the user with the private key can connect to the server on which the public key resides.
Step 1. Generate the public key
To generate the key pair, run the command below on the client machine
|
1 |
ssh-keygen |
You will get the output as shown
Hit ENTER to save the key pair is .ssh/ subdirectory in your home directory. Alternatively, you can specify your own path.
Next, you will be prompted for a secure passphrase which is highly recommended to add an extra protective layer. If you wish to do without a passphrase, hit ENTER.
Finally, you will get the following output
At this point, you have both the private and public key. They have been saved in the .ssh directory in your home directory. In this case, the path is /root.ssh
|
1 |
cat /root/.ssh |
Output
id_rsa is the private key
id_rsa_pub is the public key
Step 2. Copy the Public Key
To copy the public key to the server, we are going to use the ssh-copy-id command.
The Syntax will be
|
1 |
ssh-copy-id user@remote-server |
In this case, we shall execute
|
1 |
ssh-copy-id james@38.76.11.180 |
You will get output similar to the one below
The id_rsa.pub key which is the public key has been copied to the server.
Now if you try logging in using the syntax ssh [email protected] , you will not be prompted for a password!
Disable Password authentication
Someone can still log in to our server if they got hold of the password. To eliminate this risk, we need to disable SSH password authentication.
To achieve this, we are going to open SSH’s configuration file
|
1 |
sudo vim /etc/ssh/sshd_config |
Search for the section indicated as PasswordAuthentication .
Comment out the line and set the value to no
Save and Exit.
To implement the changes restart the SSH daemon
|
1 |
sudo systemctl restart ssh |
Now you can launch a new terminal and try to log in using the password and see whether Password authentication has been disabled.
Final word
At this point, you should have access to the server using SSH-key based authentication configured on your remote server and not using the SSH password.
Your server is now fully set up and has a solid security foundation. Ensure to keep your public key safe. Away from prying eyes 😀