You have just gained access to a fresh, untouched server with the Ubuntu operating system (I am using 12.04). I will guide you through all the steps to setup a high performing server through a series of articles. All of them will be detailed and most importantly, very easy to understand for beginners. In this first article we will handle the initial server setup. This can be done in only a few minutes but it is a crucial part.
Some of the first tasks required on a new virtual private server (VPS) or dedicated server is to change the default password, setting up a new user, provide the proper privileges and configuring SSH.
→ A fresh and untouched Linux (Ubuntu) server
→ The IP address for that server
→ Root access to that server
→ A way to SSH to your server (Terminal, Putty,…)
Step 1: Access server via Root
You know your IP address and you know your root password. Now you can login as the main user, “root”. It is however not encouraged to use root on a server on a regular basis due to security reasons. A lot of bots scan server ports and by default use the username “root” to try and break into your server. I will show you how to create an alternative user to login with permanently.
So first of all, access your server through the command line via SSH. You can do this with the following command (replace 123.456.78.90 with your servers IP address).
It is possible that the terminal will output something like this.
The authenticity of host '123.456.78.90 (123.456.78.90)' can't be established. RSA key fingerprint is 12:34:56:78:90:a1:b2:c3:d4:e5:f6:g7:h9:i0:ab:cd. Are you sure you want to continue connecting (yes/no)?
This is a normal output if you connect to the server via your computer for the first time. Simply type “yes” and enter the root password.
Step 2: Change root password
Even though we will block access via the “root” account, it is still advised to change the default root password that was sent to you when you registered your server. You can easily change it to one of your choice.
Log out by either using the “exit” command or by simply closing the terminal. Then log in as root and with your new password to make sure everything went ok.
Step 3: Add a user
Now that you are logged in with the changed password we will add a new user and give this user root capabilities. Simply user the following command and replace “USERNAME” with the name you want to use.
You will be asked to provide a password, confirm the password and additional user information. You can leave the additional information blank.
Step 4: Grant root capabilities
Now we need to give the new user administrative privileges, just like root. While not necessary when logged in as root, you will have to add the phrase “sudo” before every command when performing root tasks with the new user. This will do two things:
- It will prevent the user from making system-destroying mistakes.
- All commands run with the phrase “sudo” are stored in /var/log/secure so they can be reviewed later if needed.
Okay, now we will give the new user root privileges. This can be done by using the Ubuntu’s default editor, “nano” and the following command.
Using the arrow keys, go down in the document. Look for the following lines.
# User privilege specification root ALL=(ALL:ALL) ALL
To give root permissions to the new user “USERNAME“, add the following line.
USERNAME ALL=(ALL:ALL) ALL
There are two ways to save and exit the file.
- Exit the file with “CTRL+X“. When terminal asks “Save modified buffer?“, answer yes by entering “Y“. Then terminal asks if you want to override the file, simply hit “ENTER“.
- OR Save the file with “CTRL+O” (i.e. WriteOut) and override by hitting “ENTER“. Then exit the with “CTRL+X“.
Optional: securing SSH
While I highly recommend the following steps to secure your server, these are optional. It is important to understand that changing the SSH port and completely restricting root login may make logging in more cumbersome in the future.
Let us go ahead and open up the SSH configuration file.
sudo nano /etc/ssh/sshd_config
We will change a few things in this file. The most important one is changing the SSH port. By default this port is 22. You can change this to any integer between 1025 and 65536. In this example I am using 9999. Do not forget this number. Of you do it may lock you out of your server completely. You will need it to log in in the future. Doing this change will make a lot more difficult for unauthorized people to access your server.
The next step is changing the “PermitRootLogin” setting from yes to no. This will stop future root login. You will only be able to log in to your server as the new user.
Finally add these two lines at the bottom of the file. The “UseDNS” option is mostly useless, but in very peculiar circumstances it should be turned off. Do not forget to replace “USERNAME” with the username you have chosen. “AllowUsers” will limit login to only the users on that line.
UseDNS no AllowUsers USERNAME
Save and exit the file. Reloading SSH is necessary to implement the new port and settings.
sudo reload ssh
Do not close the terminal window just yet. Just to make sure that everything got implemented correctly, open up a new terminal window and log in again using the following command. You’ll notice that we now need to specify the SSH port (with “-p“) and “root” is replaced with “USERNAME“.
ssh -p 9999 USERNAME@123.456.78.90
If everything went right, you are now logged in as the new user with root capabilities.
What is next?
Now that the initial server setup is completed you can continue to make your server more secure. I highly recommend fail2ban because it is very easy to use. Deny Hosts is a good alternative. Both will prevent brute force attacks on the server.
You can also start installing a LEMP stack on your server. LEMP stands for Linux, NGINX (pronounced engine x), MySQL and PHP5. For MySQL I suggest using MariaDB. This configuration will offer a very high performance.