Ubuntu Server Setup - Security Best Practices With Examples

Upon successful installation of your Debian / Ubuntu server, a few configuration steps are essential in enhancing the security and functionality of the server. In this guide, we will take you through the basic steps in the initial server setup of Debian 9 / Ubuntu 18.04 server. These basic steps will fortify your server and allow the execution of subsequent operations in a seamless manner.

Login as root user

The initial step in setting up your server is to log in as the root user. But first, you need to have your server’s IP address and the Password or a private key for authentication. To log in, open your Linux terminal and execute the command below. Be sure to substitute the server’s IP address with your IP address.

In this guide, we are using Ubuntu 18.04 server with a Public IP address

To log in using ssh via the terminal, the command is

Type ‘Yes’ and hit Enter. You will then be prompted for the server’s Password. Provide the correct Password and hit Enter.

This will drop you into the server’s shell prompt as shown below


Great! Now that we have successfully logged in to our server, let’s move over to the second step

Create a New user

For best security practices, use of the root account for administrative tasks is highly discouraged. Why is that the case? Running your server as root leaves you prone to making unintentional and costly mistakes which may be detrimental to your server. You can easily do something harmful to your system which may cause irreversible damage to your system.

For this reason, we are going to create a new non-root user and later grant it administrative privileges. This way, every time you try to execute a root-level task, you will be prompted for the password. This will give you some time to pause and think about the consequences for executing the command and stop in your tracks if you notice a costly mistake in the command execution.

To create a new user run

We are going to add a new user ‘james’

You will be prompted for the user’s password and a few additional questions. provide the necessary information

Perfect! to verify the creation of the user view the /etc/passwd and confirm the existence of the user.

Sample Output

The last line above displays information of the newly created user.

Grant Administrative privileges to the New user

So far the new user has regular account privileges. We need to setup root privileges to our newly created user so that they can perform administrative tasks by appending sudo before any operation.

To accomplish this, we need to add the user to the sudo group to avoid logging out and logging in as root every time when performing administrative tasks.

The syntax for achieving this is

In this case, the command for granting sudo privileges to user ‘james’ will be

You can now log out and log in with the new user using the command as indicated earlier

After successful login by verifying the authenticity of the server and providing the correct password, you can now you can execute any superuser tasks by preceding the command with sudo

For instance, to update the system using the account execute the command below

You will be prompted for a password and after providing it, the operation will commence.


Configure a basic Firewall

Debian and Ubuntu servers use the UFW firewall to allow or deny traffic into or out of the server.

To view existing connection in the firewall execute

As expected, OpenSSH will be displayed because we are currently using ssh to connect to the server


To allow a connection via the firewall, execute the following command.

For example, to allow SSH connections for a new server run:


To open a specific port on the firewall, use the syntax

For example


To check the status of the firewall execute


To enable the firewall, run the following command.

When prompted type yes and press ‘ENTER’ to enable the firewall and effect the changes

To view the status of the firewall again and existing connections/open ports, execute the command


Enable Passwordless authentication for the new user

At the moment, we are connecting to our server using the SSH protocol with password authentication. For best security practices, setting
up of SSH keys without password authentication is highly recommended. SSH keys come in a pair: a public key and a private key.
The Private key resides on the client machine while the public key resides on the server we are connecting to. Once the SSH key authentication is set up, Password authentication should be disabled. This ensures that only the user with the private key can connect to the server on which the public key resides.

Step 1. Generate the public key

To generate the key pair, run the command below on the client machine

You will get the output as shown

Hit ENTER to save the key pair is .ssh/ subdirectory in your home directory. Alternatively, you can specify your own path.

Next, you will be prompted for a secure passphrase which is highly recommended to add an extra protective layer. If you wish to do without a passphrase, hit ENTER.

Finally, you will get the following output

At this point, you have both the private and public key. They have been saved in the .ssh directory in your home directory. In this case, the path is /root.ssh


public and private keys

id_rsa is the private key

id_rsa_pub is the public key

Step 2. Copy the Public Key

To copy the public key to the server, we are going to use the ssh-copy-id command.

The Syntax will be

In this case, we shall execute

You will get output similar to the one below


The id_rsa.pub key which is the public key has been copied to the server.

Now if you try logging in using the syntax ssh [email protected] , you will not be prompted for a password!

Disable Password authentication

Someone can still log in to our server if they got hold of the password. To eliminate this risk, we need to disable SSH password authentication.

To achieve this, we are going to open SSH’s configuration file

Search for the section indicated as PasswordAuthentication .

Comment out the line and set the value to no

Save and Exit.

To implement the changes restart the SSH daemon

Now you can launch a new terminal and try to log in using the password and see whether Password authentication has been disabled.

Final word

At this point, you should have access to the server using SSH-key based authentication configured on your remote server and not using the SSH password.

Your server is now fully set up and has a solid security foundation. Ensure to keep your public key safe. Away from prying eyes 😀

By admin

Leave a Reply

%d bloggers like this: