This tutorial is a brief description of the standard procedure that I follow each time I have to set up a new Ubuntu VPS server.
Change Root Password
This is a no-brainer. Change the
root password from the default supplied by your hosting company:
$ passwd Enter new UNIX password: Retype new UNIX password:
One thing every server admin finds out sooner or later is that their server gets hundreds of failed login/break-in attempts each day. Just have a look at
/var/log/auth.log and you’ll see what I’m talking about. Unfortunately, this is quite normal in today’s internet.
Most of those attacks originate from botnets, trying to SSH on every single IP address that belongs to your hosting company, using dictionary attacks on well-known accounts (e.g. root). The simplest action you can take for peace of mind, is to disable SSH login as root, and assign that role to another user with a non-trivial username.
Create a new user:
$ adduser YOUR_USER
Edit your SSH configuration:
$ nano /etc/ssh/sshd_config PermitRootLogin no AllowUsers YOUR_USER MaxStartups 3:50:10 LoginGraceTime 30 MaxAuthTries 3
$ service ssh restart
Before closing your SSH session, open another terminal window, and try to login as the new user you have just created. If everything works as expected, you can exit the previous SSH session.
Public Key Authentication
Ideally you should disable password logins altogether and login exclusively using Public Key Authentication.
On your local machine generate a set of RSA keys to use for authentication:
Then, copy your public key to the VPS server:
$ ssh-copy-id YOUR_USER@YOUR_SERVER
On your VPS server, edit the SSH daemon configuration to enable Public Key Authentication:
$ nano /etc/ssh/sshd_config PubkeyAuthentication yes UsePAM no ChallengeResponseAuthentication no
$ service ssh restart
Now test if you can login from your local machine to your server without a password:
$ ssh YOUR_USER@YOUR_SERVER
If the above step works, you can disable password logins:
$ nano /etc/ssh/sshd_config PasswordAuthentication no
And one final restart:
$ service ssh restart
Fail2Ban is an intrusion prevention software framework, which scans your log files and bans IPs that try to brute force into your server.
$ apt install fail2ban
Copy the default configuration file and edit:
$ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local $ nano /etc/fail2ban/jail.local [DEFAULT] ignoreip = 127.0.0.1/8 ::1 bantime = 3h findtime = 1h maxretry = 3 destemail = YOUR_EMAIL mta = mail action = %(action_)s [sshd] enabled = true
Make sure to replace
YOUR_EMAIL with your actual email address. If you want to receive an email each time an IP is banned replace
You might also want to customize some of the parameters.
maxretry is the number of failed attempts after which the ban action on that IP will trigger.
findtime is the period during which
bantime is the duration of the ban.
Restart service for the changes to take effect:
$ service fail2ban restart
UFW is the default firewall configuration tool for Ubuntu. However, it is disabled by default, so let’s enable it:
$ ufw default deny incoming $ ufw default allow outgoing $ ufw allow ssh $ ufw enable $ ufw status
Pay special attention to the
ufw allow ssh line. Without it, UFW would block port 22 preventing you to SSH to your server. Obviously, you don’t want that to happen.
If you want to open more ports in the future, e.g. 80 (http), you can easily do that with
ufw allow http.
In recent Ubuntu versions, unattended-upgrades is enabled by default, which means your system will always download and install the latest security patches automatically. One thing that new users complain about, is that when a new Kernel is installed, Ubuntu does not remove the old ones. However, there are good reasons why Ubuntu works like that. Of course, not everyone has the same needs, so if you want to save some space by removing old Kernels, edit the unattended-upgrades configuration and make sure the following line exists and is not commented out:
$ nano /etc/apt/apt.conf.d/50unattended-upgrades Unattended-Upgrade::Remove-Unused-Dependencies "true";
Edit /etc/hostname and /etc/hosts
This step only applies if you want to change the hostname of your VPS server from the default supplied by your hosting provider. Assuming that your server’s FQDN is
HOSTNAME.DOMAIN.TLD and the IP address
$ nano /etc/hostname HOSTNAME
/etc/hosts(that’s the primitive of DNS with an interesting story):
$ nano /etc/hosts X.X.X.X HOSTNAME.DOMAIN.TLD HOSTNAME
Install GNU Screen
Each time your SSH connection gets terminated (e.g. timeout, error), all running processes will typically terminate as well. This can leave your server in an undefined state, depending on what you were doing before disconnecting. That’s why, when opening a SSH connection to a remote server, it’s always good practice to work on a Screen session. Screen provides a virtual terminal, that continues to run, even if your SSH connection gets terminated.
$ apt install screen
Disable the annoying startup message:
$ nano /etc/screenrc startup_message off
You can start a new screen session with
screen, and exit the session with
exit. If your SSH connection gets terminated unexpectedly, you can continue what you were doing by simply running
screen -dr the next time you login.