Ubuntu 14.04 LTS Server Setup
Linux, Server, Sysadmin, Ubuntu
This article is a cheatsheet/guidelines for the secure setup of Ubuntu 14.04 LTS server.
The content has been largely drawn from this Digital Ocean article.
Once a new server is created, you should follow these setup guidelines as soon as possible. Check the auth.log
file for malicious access attempts:
Malicious log in attempts begin almost immediately - presumably, would-be hackers are trying a range of IP addresses and knocking on doors, looking for low-hanging fruit. For this reason, the initial VPS setup should definitely include a strong root password.
Set FQDN/Hostname
To set the hostname to “archimedes”, edit /etc/hostname
:
If it exists, edit the file /etc/default/dhcpcd
to comment out the SET_HOSTNAME directive.
Edit /etc/hosts
Edit /etc/hosts
- amend the localhost entry, and add a new line referring to the FQDN.
This should be in the format: IP-Address-of-system hostname.domainname.TLD hostname
Add ipV6 if necessary, e.g.
Restart the hostname service
Set Timezone
Activate wizard, follow instructions:
Create New User
Create a new user:
Answer the questions, add password, hit enter.
Give new user sudo privileges:
Generate SSH Key Pair on Local Machine
You can re-use and existing one if it already exists
Add a passphrase.
Copy Public SSH Key to Server
The easiest way to do this:
You will be prompted for the user’s password…and that’s it!
Reboot Server From Command Line
This is sometimes prompted for/required during the setup process:
Harden SSH Access
Backup config:
Restrict root login so it is only via SSH key (NOT Password):
Amend the PermitRootLogin
entry:
Ctrl+o to save, Ctrl+x to exit. Then reload ssh:
Try and connect in a new terminal BEFORE CLOSING THE OPEN TERMINAL!!!
Test logging in to root via SSH - it will allow password entry, but the response shoudl be: “Permission denied, please try again.”
Firewall
Set up ‘Uncomplicated Firewall’: ufw.
Allow on the custom SSH port:
Allow port 80, for internet:
To allow https traffic, open port 443:
Show the exceptions you have added:
Enable the firewall:
More info on configuring ufw.
Swapfile
Probably not necessary but may prevent server crashing in the event of high traffic. Accessing data stored on disk (rather than memory) is slow.
Generally recommended that the size of the swapfile should be 2 x RAM.
Determine RAM:
Use fallocate to allocate space to swap file:
fallocate is used to manipulate the allocated disk space for a file, either to deallocate or preallocate it. For filesystems which support the fallocate system call, preallocation is done quickly by allocating blocks and marking them as uninitialized, requiring no IO to the data blocks. This is much faster than creating a file by filling it with zeros. fallocate man page
Give correct permissions to swapfile - restrict access so other users/processors can’t see it:
Format the file for swap:
Make the file available for swap:
Make it available for swap at boot by amending /etc/fstab
:
Resources
comments powered by Disqus