Introduction
In this tutorial, we will cover how to set up your Ubuntu 18.04 based server and harden its security. This will increase the usability and security of your server and will give you a solid foundation for any future tasks you need to perform.
Prerequisites
Step 1: Log in via SSH
When you create your server, Snel sends you an email with your default username, password, and server IP address. Use those credentials to log in to your server for the first time.
If you are not familiar with the process then take a look at our How to connect to your server with SSH tutorial.
Step 2: Change password
You need to change the default password allotted to you by Snel. Use the following command to do that.
$ passwd
You will be asked for your current password first.
Step 3: Create a new Sudo user
Whether you are logged in as a root user or the default user which Snel gave you, it is always a best practice to create a new user with sudo privileges. Your Snel user-id also has sudo privileges.
Note: – Root user is very powerful with very broad privileges. You should use it only when it is absolutely necessary. For all other purposes, we will use a regular account with superuser privileges. This way you can perform administrative tasks using a regular user account by appending sudo in front of any command.
Use the following command to create a new user. You can replace sneluser with a username you like.
$ sudo adduser sneluser
You can omit using sudocommand if you are logged in as root user.
You will be asked several questions, starting with the account password. Enter a strong password and fill in any of the information if you like. The extra information is entirely optional and you can just hit ENTER to skip through them.
client_xxxxx_x@vps:~$ sudo adduser sneluser
Adding user `sneluser' ...
Adding new group `sneluser' (1001) ...
Adding new user `sneluser' (1001) with group `sneluser' ...
Creating home directory `/home/sneluser' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for sneluser
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] yUse the following command to give your newly created account sudo privileges.
$ sudo usermod -aG sudo sneluser
Step 4: Update your server
It is important that you keep your server updated at all times. Run the following command to update the package lists on your server which store information on how and from where to download software packages.
$ sudo apt update
Now, install the package upgrades.
$ sudo apt upgrade
Note: You may be asked if you want to use an updated config file or keep the current one. Always choose the keep the local version currently installed option.
Step 5: Set the timezone
It is beneficial if your server operates in the same timezone as you are. Run the following command to get a list of all available time zones.
$ timedatectl list-timezones
Press ENTER to scroll through the list and enter q when you reach the end to exit the command.
You can also grab the list from here.
Once you have identified your timezone, set it using the following command.
$ sudo timedatectl set-timezone Europe/Amsterdam
You can confirm the new timezone by using the following command.
$ date Tue Mar 3 08:55:31 CET 2020
Step 6: Set up the Firewall
Ubuntu 18.04 comes with UFW(Uncomplicated Firewall) firewall installed by default.
Before enabling the firewall, we need to set proper rules. If you enable the firewall before setting any rules, you will get locked out of your own server.
The first step is to set up default policies. These rules control how to handle the traffic that does not match any other rules. By default, UFW is set to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your server can’t connect to it while any application on your server can reach the outside world.
Use the following commands to set UFW’s default policies.
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
Now that our default policy is set, let’s allow the default SSH port. Run the following command.
$ sudo ufw allow ssh
Different applications register themselves by their name with UFW. Hence, it knows that SSH here refers to port 22. You can also use the following command to achieve the same effect.
$ sudo ufw allow 22
It is time to enable the firewall.
$ sudo ufw enable
You will be asked for confirmation. Enter y since we have already enabled SSH.
You can check the status of the firewall by using the following command.
$ sudo ufw status verbose
You should see a similar output.
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6)
You can omit the verbose tag from the command. That way, you will only be shown the open ports and protocols.
Step 7: Set the Hostname
First, check your existing hostname using the following command.
$ hostnamectl
You should see a similar output.
Static hostname: vps.snelexample.site
Icon name: computer-vm
Chassis: vm
Machine ID: f0824f3916f24a298d6b2c10dc8c68fb
Boot ID: 5c4ef23bc3dd4d39943e89d4563674c7
Virtualization: kvm
Operating System: Ubuntu 18.04.4 LTS
Kernel: Linux 4.15.0-88-generic
Architecture: x86-64To set up a hostname, use the following command.
$ sudo hostnamectl set-hostname host.snelexample.site
Replace host.snelexample.site with your actual hostname. Preferably, it should be an FQDN(Fully qualified domain name). But if you are not sure, you can always use a custom label to identify the server.
Next, you need to resolve your hostname to your server. This can be done by editing the /etc/hosts file. Use the following command to open the hosts file in Nano text editor.
$ sudo nano /etc/hosts
Append your hostname at the end of the line that starts with 127.0.0.1 like this.
127.0.0.1 localhost host.snelexample.site
Close the editor by pressing Ctrl + X and entering y when asked for confirmation to save the updated file.
Step 8: Log in as a new user
Exit from your current session by using the logout command and log in again via SSH using the new user you just created.
$ ssh [email protected]
Replace 192.168.0.1 with the actual IP address of your server.
Step 9: Disable Root login via SSH
This is a very important step in securing your server from brute force attacks. Let us check the current status of SSH root login by using the following command.
$ sudo cat /etc/ssh/sshd_config | grep PermitRootLogin
This is a set of two commands. grepcommand searches for the string PermitRootLogin in the file /etc/ssh/sshd_config and catcommand outputs it to the terminal.
You might see a similar output.
PermitRootLogin without-password # the setting of "PermitRootLogin without-password".
Here, it is set without a password. This means public-key authentication is enabled. Make sure, it should not be commented out or not set to yes.
To completely disable the root login via SSH, edit the config file by using the following command.
$ sudo nano /etc/ssh/sshd_config
Change the line containing PermitRootLogin as below.
PermitRootLogin no
Save the file by pressing Ctrl + W and entering Y when prompted.
Restart the SSH server to apply the changes.
$ sudo systemctl restart sshd
You can check by logging out and try logging back in as root user. The server will refuse.
Step 10: Change SSH Port (Optional)
This step is entirely optional but is considered a good security aspect. Changing the default SSH port(22) prevents malicious bots to try logging into your server. To change the port, open the SSH configuration file again by using the following command.
$ sudo nano /etc/ssh/sshd_config
Find the line which says the following.
#Port 22
Uncomment the line by removing the hash and change the value into any port between 1024 and 65535. Here we are using port 2254.
Port 2254
Save the file by pressing Ctrl + W and entering y when prompted.
We will also need to allow this new port in our firewall. Open port 2254using UFW.
$ sudo ufw allow 2254
Since, we no longer the default port, we can delete it from our firewall’s list.
$ sudo ufw delete allow ssh
Restart the SSH server to apply the changes.
$ sudo systemctl restart sshd
Reload the firewall to apply the new settings.
$ sudo ufw reload
Now, you won’t be able to log in via SSH without specifying a port. Modify your SSH command as follows to login via the changed port.
$ ssh -p 2254 [email protected]
Step 11: Reboot Server
This is the last step. Now that we have installed and upgraded packages, the server needs to be rebooted to apply some of those changes. Use the following command to reboot your server.
$ sudo reboot
Conclusion
This concludes our tutorial regarding setting up of Ubuntu 18.04 based server where we learned how to add a new sudo user, updated packages, configured firewall, timezone, and hostname. We also hardened our SSH server against common malicious attacks.
Leave a Reply