Introduction
This guide will cover a few initial configuration steps that should be permormed on any new Ubuntu system. This includes updating, setting timezone, adding a limited user, and hardening SSH to prevent unauthorized access. These steps ensure your instance is up to date, secure, and ready to use.
To get started please input your username, server IP Address, and email address
Connect to the Instance
The first step we need to take is getting connected to our instance:
- Windows: Windows 10 and 11 users can connect using the Command Prompt (or PowerShell) application. Users on Windows 8 and earlier can use (PuTTY)[https://www.putty.org/]
- macOS: Use the pre-installed Terminal application.
- Linux: Use the terminal application you have installed on your system.
Perfom System Updates
Updating your system frequently is the single biggest security precaution you can take. Updated provides many vulnerability patches and bug fixes. To update your server run:
When updating some packages, you may be prompted to use updated configuration files. If prompted, it is typically safter to keep the locally installed version.
Set the Timezone
Since not every cloud provider sets timezones the same you may want to update the timezone to match your local time.
- Run the
tzdata
tool
- Select the continent of your choice using the arrow keys and press Enter.
- Select your region using the arrow keys and press Enter
Check the Time
Use the date
command to view the current date and time according to your server:
Add a Limited User Account
So far we have been accessing our instance as the root user, which has unlimited privileges.
It is recommended you create a limited user account and use it at all times.
Administrative tasks can be done using sudo
to temporarily elevate your limited user’s privileges.
To create the user we will run the following command. Be sure to replace {{username}}
with your desired username.
You’ll then be asked to assign the user a password.
Next we need to add the user to the sudo
group so you’ll have administrative privileges:
Login as the New User
After creating your limited user, you can switch to the user with the following command:
Harden SSH Access
By default, password authentication is used to connect to your server. In this section we are going to create an SSH key-pair and configure the server to not accept passwords for SSH logins.
Create and Upload Your SSH Key
First we need to create an SSH key pair. If you already have one ready to use you can skip this part. Otherwise on your local computer run:
When prompted for the filename, just press Enter for the defaults. It is recommeded to use a passphrase for better security.
Now we need to upload the public key to our server. To do this you can follow one of the steps below:
- Linux: Be sure to replace the username and IP Address
- macOS: On your server:
Then run the following on your local computer replacing the username and IP Address
- Windows 10 or 11: On your server:
Then on your local computer. Be sure to replace any highlighted portions:
Finally, you’ll want to set permissions for the public key directory and the key file itself. On your server, run the following command:
This provides an extra layer of security by preventing other users from accessing the public key directory as well as the file itself.
SSH Daemon Options
Lastly, edit the SSH configuration file to disallow root login and disable password authentication over SSH.
- Open the SSH configuration file on your server using any text editor:
- Disallow root logins over SSH. This requires all SSH connections to be by non-root users.
Once a limited user account is connected, you can use
sudo
or change to a root shell usingsu -
to administrate your server.
- Disable SSH password authentication. This requires all users connecting via SSH to use key authentication.
The
PasswordAuthentication
line may need to be added or uncommented.
4 Listen on only one internet protocol. The SSH daemon listens for incoming connections over both IPv4 and IPv6 by default. Unless you need to SSH into your server using both protocols, disable whichever you do not need.
Use the option:
AddressFamily inet
to listen only on IPv4AddressFamily inet6
to listen only on IPv4
- Restart the SSH service to load the new configuration.
Conclusion
This guide has equipped you with essential steps to secure and optimize your new Ubuntu server instance. By updating your system, configuring the timezone, adding a limited user with sudo privileges, and hardening SSH access through key authentication and configuration tweaks, you’ve ensured a robust foundation for your server’s security and functionality. These measures not only protect your instance from unauthorized access but also enhance its reliability and performance. Implement these practices diligently to maintain a secure and efficient server environment.