First steps on a newly installed server.

After launch a new server, that was not a full install of my own, I have found that the following steps help get it to a working state with a basic level of security. This is not all inclusive and it really just a baseline. This is specific to Ubuntu, but can be easily modified for any flavor of Linux.

With a service like Digital Ocean, AWS, or any similar service you will be given a basic install with only a root user.

Change the default root password

Start by changing that root password to something that is very complex, and save it somewhere secure.

passwd

This password will only be needed if you lose the ability to login over ssh or lose your sudo password.

Update the system. This will also save time as you start to install your applications, since everything will be nice and updated.

apt-get update && apt-get upgrade

Install Fail2ban 

Fail2ban¬†monitors login attempts to a server and blocks IP’s that fail to successfully login too many times. It can be tweaked later on, but works good enough out of the box. Be careful after installing Fail2ban, since you can lock yourself out of your own server if you have more than 3 failed login attempts. If that does happen, just go grab a beer and wait for your own block to expire before logging in again.

apt-get install fail2ban

Setup a New User

Since it is never a good idea to allow root login to your server, now you need to setup a new login user. Replace ‘NewUser’ with whatever you want to use. Make sure the password you use here is complex and keep a note of it. It will be used later on for super user access.

useradd NewUser 
mkdir /home/NewUser 
mkdir /home/NewUser/.ssh 
chmod 700 /home/NewUser/.ssh
passwd NewUser

Setup public key authentication

Passwords suck! For secure remote ssh access,public key authentication will provide a much better option. It also simplifies your login process since you don’t have to remember a long and complex password.

vim /home/NewUser/.ssh/authorized_keys

Add the contents of the id_rsa.pub to this file.

chmod 400 /home/NewUser/.ssh/authorized_keys 
chown NewUser:NewUser /home/NewUser -R

Test The New User and Enable Super User Access

Open a new terminal or ssh session and attempt to login with the NewUser account. It’s really important to keep the original session open to fix thing if you screw up. If the login works, then you can go back to your original terminal to enable Super User access.

visudo

Find the list of users and add NewUser to the list. This will grant Super User access when the user authenticates with their own password.

## Allow root to run any commands anywhere
root ALL=(ALL) ALL 
NewUser  ALL=(ALL) ALL

Secure SSH access

Disable root login for ssh and limit logins to a list of ip’s

vim /etc/ssh/sshd_config

Add these lines to the file, inserting the ip address from where you will be connecting from. If you access from different dynamic IP’s (home internet providers, cell phone network), you may want to skip the IP limit.

PermitRootLogin no 
PasswordAuthentication no 
AllowUsers [email protected](your-ip) [email protected](another-ip-if-any)

Restart SSH

service ssh restart