This article is a cheatsheet/guidelines for the secure setup of Ubuntu 14.04 LTS server.

The content has been largely drawn from this Digital Ocean article.

Once a new server is created, you should follow these setup guidelines as soon as possible. Check the auth.log file for malicious access attempts:

~~~
sudo cat /var/log/auth.log | grep 'sshd.*Invalid'
~~~

Malicious log in attempts begin almost immediately - presumably, would-be hackers are trying a range of IP addresses and knocking on doors, looking for low-hanging fruit. For this reason, the initial VPS setup should definitely include a strong root password.

Set FQDN/Hostname

To set the hostname to “archimedes”, edit /etc/hostname:

echo "archimedes" > /etc/hostname
hostname -F /etc/hostname

If it exists, edit the file /etc/default/dhcpcd to comment out the SET_HOSTNAME directive.

Edit /etc/hosts

Edit /etc/hosts - amend the localhost entry, and add a new line referring to the FQDN.

This should be in the format: IP-Address-of-system hostname.domainname.TLD hostname

127.0.0.1 localhost.localdomain localhost
123.345.567.78 archimedes.your-main-domain.com archimedes

Add ipV6 if necessary, e.g.

1b00:1b00::f0f0:11aa:aa98:bdf4 archimedes.your-main-domain.com archimedes

Restart the hostname service

/etc/init.d/hostname restart

Set Timezone

Activate wizard, follow instructions:

dpkg-reconfigure tzdata

Create New User

Create a new user:

adduser daviduser

Answer the questions, add password, hit enter.

Give new user sudo privileges:

gpasswd -a daviduser sudo

Generate SSH Key Pair on Local Machine

You can re-use and existing one if it already exists

ssh-keygen -t rsa

Add a passphrase.

Copy Public SSH Key to Server

The easiest way to do this:

ssh-copy-id daviduser@123.45.56.78

You will be prompted for the user’s password…and that’s it!

Reboot Server From Command Line

This is sometimes prompted for/required during the setup process:

sudo reboot

Harden SSH Access

Backup config:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Restrict root login so it is only via SSH key (NOT Password):

sudo nano /etc/ssh/sshd_config

Amend the PermitRootLogin entry:

PermitRootLogin without-password

Ctrl+o to save, Ctrl+x to exit. Then reload ssh:

sudo reload ssh

Try and connect in a new terminal BEFORE CLOSING THE OPEN TERMINAL!!!

Test logging in to root via SSH - it will allow password entry, but the response shoudl be: “Permission denied, please try again.”

Firewall

Set up ‘Uncomplicated Firewall’: ufw.

Allow on the custom SSH port:

sudo ufw allow 4444/tcp

Allow port 80, for internet:

sudo ufw allow 80/tcp

To allow https traffic, open port 443:

sudo ufw allow 443/tcp

Show the exceptions you have added:

sudo ufw show added

Enable the firewall:

sudo ufw enable

More info on configuring ufw.

Swapfile

Probably not necessary but may prevent server crashing in the event of high traffic. Accessing data stored on disk (rather than memory) is slow.

Generally recommended that the size of the swapfile should be 2 x RAM.

Determine RAM:

# return memory in MB
free -m

Use fallocate to allocate space to swap file:

sudo fallocate -l 4G /swapfile

fallocate is used to manipulate the allocated disk space for a file, either to deallocate or preallocate it. For filesystems which support the fallocate system call, preallocation is done quickly by allocating blocks and marking them as uninitialized, requiring no IO to the data blocks. This is much faster than creating a file by filling it with zeros. fallocate man page

Give correct permissions to swapfile - restrict access so other users/processors can’t see it:

sudo chmod 600 /swapfile

Format the file for swap:

sudo mkswap /swapfile

Make the file available for swap:

sudo swapon /swapfile

Make it available for swap at boot by amending /etc/fstab:

sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'

Resources

• Set hostname & FQDN in Ubuntu