Your First Steps with Your Brand New VPS Server

on Ubuntu, Server

This tutorial is a brief description of the standard procedure that I follow each time I have to set up a new Ubuntu VPS server.

Change Root Password

This is a no-brainer. Change the root password from the default supplied by your hosting company:

$ passwd
Enter new UNIX password: 
Retype new UNIX password:

Secure SSH

One thing every server admin finds out sooner or later is that their server gets hundreds of failed login/break-in attempts each day. Just have a look at /var/log/auth.log and you'll see what I'm talking about. Unfortunately, this is quite normal in today's internet.

Most of those attacks originate from botnets, trying to SSH on every single IP address that belongs to your hosting company, using dictionary attacks on well-known accounts (e.g. root). The simplest action you can take for peace of mind, is to disable SSH login as root, and assign that role to another user with a non-trivial username.

  1. Create a new user:

    $ adduser YOUR_USER
    
  2. Edit your SSH configuration:

    $ nano /etc/ssh/sshd_config
    PermitRootLogin no
    AllowUsers YOUR_USER
    MaxStartups 3:50:10
    LoginGraceTime 30
    
  3. Restart SSH:

    $ service ssh restart
    

Before closing your SSH session, open another terminal window, and try to login as the new user you have just created. If everything works as expected, you can exit the previous SSH session.

Secure SSH (advanced)

Ideally you should disable password logins altogether and login exclusively using Public Key Authentication.

  1. On your local machine generate a set of RSA keys to use for authentication:

    $ ssh-keygen
    
  2. Then, copy your public key to the VPS server:

    $ ssh-copy-id YOUR_USER@YOUR_SERVER
    
  3. On your VPS server, edit the SSH daemon configuration to enable Public Key Authentication:

    $ nano /etc/ssh/sshd_config
    PubkeyAuthentication yes
    
  4. Restart SSH:

    $ service ssh restart
    
  5. Now test if you can login from your local machine to your server without a password:

    $ ssh YOUR_USER@YOUR_SERVER
    
  6. If the above step works, you can disable password logins:

    $ nano /etc/ssh/sshd_config
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    
  7. And one final restart:

    $ service ssh restart
    

Enable UFW

UFW is the default firewall configuration tool for Ubuntu. However, it is disabled by default, so let's enable it:

$ ufw default deny incoming
$ ufw default allow outgoing
$ ufw allow ssh
$ ufw enable
$ ufw status

Pay special attention to the ufw allow ssh line. Without it, UFW would block port 22 preventing you to SSH to your server. Obviously, you don't want that to happen.

If you want to open more ports in the future, e.g. 80 (http), you can easily do that with ufw allow http.

Unattended Upgrades

In recent Ubuntu versions, unattended-upgrades is enabled by default, which means your system will always download and install the latest security patches automatically. One thing that new users complain about, is that when a new Kernel is installed, Ubuntu does not remove the old ones. However, there are good reasons why Ubuntu works like that. Of course, not everyone has the same needs, so if you want to save some space by removing old Kernels, edit the unattended-upgrades configuration and make sure the following line exists and is not commented out:

$ nano /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Remove-Unused-Dependencies "true";

Edit /etc/hostname and /etc/hosts

This step only applies if you want to change the hostname of your VPS server from the default supplied by your hosting provider. Assuming that your server's FQDN is HOSTNAME.DOMAIN.TLD and the IP address X.X.X.X:

  1. Edit /etc/hostname:

    $ nano /etc/hostname
    HOSTNAME
    
  2. Edit /etc/hosts (that's the primitive of DNS with an interesting story):

    $ nano /etc/hosts
    X.X.X.X HOSTNAME.DOMAIN.TLD HOSTNAME
    

Install GNU Screen

Each time your SSH connection gets terminated (e.g. timeout, error), all running processes will typically terminate as well. This can leave your server in an undefined state, depending on what you were doing before disconnecting. That's why, when opening a SSH connection to a remote server, it's always good practice to work on a Screen session. Screen provides a virtual terminal, that continues to run, even if your SSH connection gets terminated.

  1. Install Screen:

    $ apt install screen
    
  2. Disable the annoying startup message:

    $ nano /etc/screenrc
    startup_message off
    

You can start a new screen session with screen, and exit the session with exit. If your SSH connection gets terminated unexpectedly, you can continue what you were doing by simply running screen -dr the next time you login.

(Original publish date: August 28, 2015)