Your First Steps with Your Brand New VPS Server

on ubuntu and server

This tutorial is a brief description of the standard procedure that I follow each time I have to set up a new Ubuntu VPS server.

Change Root Password

This is a no-brainer. Change the root password from the default supplied by your hosting company:

$ passwd
Enter new UNIX password: 
Retype new UNIX password:

Secure SSH

One thing every server admin finds out sooner or later is that their server gets hundreds of failed login/break-in attempts each day. Just have a look at /var/log/auth.log and you’ll see what I’m talking about. Unfortunately, this is quite normal in today’s internet.

Most of those attacks originate from botnets, trying to SSH on every single IP address that belongs to your hosting company, using dictionary attacks on well-known accounts (e.g. root). The simplest action you can take for peace of mind, is to disable SSH login as root, and assign that role to another user with a non-trivial username.

  1. Create a new user:
     $ adduser YOUR_USER
    
  2. Edit your SSH configuration:
     $ nano /etc/ssh/sshd_config
     PermitRootLogin no
     AllowUsers YOUR_USER
     MaxStartups 3:50:10
     LoginGraceTime 30
     MaxAuthTries 3
    
  3. Restart SSH:
     $ service ssh restart
    

    Before closing your SSH session, open another terminal window, and try to login as the new user you have just created. If everything works as expected, you can exit the previous SSH session.

Public Key Authentication

Ideally you should disable password logins altogether and login exclusively using Public Key Authentication.

  1. On your local machine generate a set of RSA keys to use for authentication:
     $ ssh-keygen
    
  2. Then, copy your public key to the VPS server:
     $ ssh-copy-id YOUR_USER@YOUR_SERVER
    
  3. On your VPS server, edit the SSH daemon configuration to enable Public Key Authentication:
     $ nano /etc/ssh/sshd_config
     PubkeyAuthentication yes
     UsePAM no
     ChallengeResponseAuthentication no
    
  4. Restart SSH:
     $ service ssh restart
    
  5. Now test if you can login from your local machine to your server without a password:
     $ ssh YOUR_USER@YOUR_SERVER
    
  6. If the above step works, you can disable password logins:
     $ nano /etc/ssh/sshd_config
     PasswordAuthentication no
    
  7. And one final restart:
     $ service ssh restart
    
Fail2Ban

Fail2Ban is an intrusion prevention software framework, which scans your log files and bans IPs that try to brute force into your server.

$ apt install fail2ban

Copy the default configuration file and edit:

$ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ nano /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime  = 3h
findtime = 1h
maxretry = 3
destemail = YOUR_EMAIL
mta = mail
action = %(action_)s

[sshd]
enabled = true

Make sure to replace YOUR_EMAIL with your actual email address. If you want to receive an email each time an IP is banned replace %(action_)s with %(action_mw).

You might also want to customize some of the parameters. maxretry is the number of failed attempts after which the ban action on that IP will trigger. findtime is the period during which maxretry applies. bantime is the duration of the ban.

Restart service for the changes to take effect:

$ service fail2ban restart

Enable UFW

UFW is the default firewall configuration tool for Ubuntu. However, it is disabled by default, so let’s enable it:

$ ufw default deny incoming
$ ufw default allow outgoing
$ ufw allow ssh
$ ufw enable
$ ufw status

Pay special attention to the ufw allow ssh line. Without it, UFW would block port 22 preventing you to SSH to your server. Obviously, you don’t want that to happen.

If you want to open more ports in the future, e.g. 80 (http), you can easily do that with ufw allow http.

Unattended Upgrades

In recent Ubuntu versions, unattended-upgrades is enabled by default, which means your system will always download and install the latest security patches automatically. One thing that new users complain about, is that when a new Kernel is installed, Ubuntu does not remove the old ones. However, there are good reasons why Ubuntu works like that. Of course, not everyone has the same needs, so if you want to save some space by removing old Kernels, edit the unattended-upgrades configuration and make sure the following line exists and is not commented out:

$ nano /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Remove-Unused-Dependencies "true";

Edit /etc/hostname and /etc/hosts

This step only applies if you want to change the hostname of your VPS server from the default supplied by your hosting provider. Assuming that your server’s FQDN is HOSTNAME.DOMAIN.TLD and the IP address X.X.X.X:

  1. Edit /etc/hostname:
     $ nano /etc/hostname
     HOSTNAME
    
  2. Edit /etc/hosts (that’s the primitive of DNS with an interesting story):
     $ nano /etc/hosts
     X.X.X.X HOSTNAME.DOMAIN.TLD HOSTNAME
    

    Install GNU Screen

Each time your SSH connection gets terminated (e.g. timeout, error), all running processes will typically terminate as well. This can leave your server in an undefined state, depending on what you were doing before disconnecting. That’s why, when opening a SSH connection to a remote server, it’s always good practice to work on a Screen session. Screen provides a virtual terminal, that continues to run, even if your SSH connection gets terminated.

  1. Install Screen:
     $ apt install screen
    
  2. Disable the annoying startup message:
     $ nano /etc/screenrc
     startup_message off
    

    You can start a new screen session with screen, and exit the session with exit. If your SSH connection gets terminated unexpectedly, you can continue what you were doing by simply running screen -dr the next time you login.

(Original publish date: August 28, 2015)