Ubuntu Server Initial Setup

Introduction

This guide will cover a few initial configuration steps that should be permormed on any new Ubuntu system. This includes updating, setting timezone, adding a limited user, and hardening SSH to prevent unauthorized access. These steps ensure your instance is up to date, secure, and ready to use.

To get started please input your username, server IP Address, and email address

Connect to the Instance

The first step we need to take is getting connected to our instance:

Don't forget to replace the IP Address

ssh root@{{ip_addr}}

Windows: Windows 10 and 11 users can connect using the Command Prompt (or PowerShell) application. Users on Windows 8 and earlier can use (PuTTY)[https://www.putty.org/]
macOS: Use the pre-installed Terminal application.
Linux: Use the terminal application you have installed on your system.

Perfom System Updates

Updating your system frequently is the single biggest security precaution you can take. Updated provides many vulnerability patches and bug fixes. To update your server run:

apt update && apt upgrade

When updating some packages, you may be prompted to use updated configuration files. If prompted, it is typically safter to keep the locally installed version.

Set the Timezone

Since not every cloud provider sets timezones the same you may want to update the timezone to match your local time.

Run the tzdata tool

dpkg-reconfigure tzdata

Select the continent of your choice using the arrow keys and press Enter.
Select your region using the arrow keys and press Enter

Check the Time

Use the date command to view the current date and time according to your server:

date

Output

Sun Jun 23 03:48:24 PM PDT 2024

Add a Limited User Account

So far we have been accessing our instance as the root user, which has unlimited privileges. It is recommended you create a limited user account and use it at all times. Administrative tasks can be done using sudo to temporarily elevate your limited user’s privileges.

To create the user we will run the following command. Be sure to replace {{username}} with your desired username. You’ll then be asked to assign the user a password.

adduser {{username}}

Next we need to add the user to the sudo group so you’ll have administrative privileges:

adduser {{username}} sudo

After creating your limited user, you can switch to the user with the following command:

Be sure to replace the username

su - {{username}}

Harden SSH Access

By default, password authentication is used to connect to your server. In this section we are going to create an SSH key-pair and configure the server to not accept passwords for SSH logins.

Create and Upload Your SSH Key

First we need to create an SSH key pair. If you already have one ready to use you can skip this part. Otherwise on your local computer run:

Replace the email address with your email address

ssh-keygen -t ed25519 -C "{{email}}"

When prompted for the filename, just press Enter for the defaults. It is recommeded to use a passphrase for better security.

Now we need to upload the public key to our server. To do this you can follow one of the steps below:

Linux: Be sure to replace the username and IP Address

ssh-copy-id {{username}}@{{ip_addr}}

macOS: On your server:

mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/

Then run the following on your local computer replacing the username and IP Address

scp ~/.ssh/id_rsa.pub {{username}}@{{ip_addr}}:~/.ssh/authorized_keys

Windows 10 or 11: On your server:

mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/

Then on your local computer. Be sure to replace any highlighted portions:

scp C:/Users/{{username}}/.ssh/id_rsa.pub {{username}}@{{ip_addr}}:~/.ssh/authorized_keys

Finally, you’ll want to set permissions for the public key directory and the key file itself. On your server, run the following command:

sudo chmod -R 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

This provides an extra layer of security by preventing other users from accessing the public key directory as well as the file itself.

SSH Daemon Options

Lastly, edit the SSH configuration file to disallow root login and disable password authentication over SSH.

Open the SSH configuration file on your server using any text editor:

sudo nano /etc/ssh/sshd_config

Disallow root logins over SSH. This requires all SSH connections to be by non-root users. Once a limited user account is connected, you can use sudo or change to a root shell using su - to administrate your server.

File: /etc/ssh/sshd_config

# Authentication:
...
PermitRootLogin no

Disable SSH password authentication. This requires all users connecting via SSH to use key authentication. The PasswordAuthentication line may need to be added or uncommented.

File: /etc/ssh/sshd_config

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

4 Listen on only one internet protocol. The SSH daemon listens for incoming connections over both IPv4 and IPv6 by default. Unless you need to SSH into your server using both protocols, disable whichever you do not need.

Use the option:

AddressFamily inet to listen only on IPv4
AddressFamily inet6 to listen only on IPv4

/etc/ssh/sshd_config

# Port 22
AddressFamily inet

Restart the SSH service to load the new configuration.

sudo systemctl restart sshd

Conclusion

This guide has equipped you with essential steps to secure and optimize your new Ubuntu server instance. By updating your system, configuring the timezone, adding a limited user with sudo privileges, and hardening SSH access through key authentication and configuration tweaks, you’ve ensured a robust foundation for your server’s security and functionality. These measures not only protect your instance from unauthorized access but also enhance its reliability and performance. Implement these practices diligently to maintain a secure and efficient server environment.