I recently purchased a dedicated physical server from Hetzner so I could run Nextcloud and a few other websites. However, I wanted to set up the server with some sane defaults out of the box so here are a few configuration steps that you should take early on as part of the basic setup.
Step 1 — Logging in as Root
Once the server is online, log in via SSH using the root user. I was able to set up the root account to use my public key during the initial preparation, so I don't need a password. As below you can use either the IP address or hostname to connect.
ssh [email protected]<IP address/Hostname>
Accept the warning about host authenticity if it appears. If you are using password authentication, provide your root password to log in. Otherwise, you should see a cmd prompt.
Step 2 — Creating a New User
The root user is the administrative user in a Linux environment and has "God" privileges (access to everything). As such, it is not a good idea to use the root account.
Given the above, the next step is to set up a standard user account.
Once you are logged in as root, we can run the adduser account to add a new user.
My example creates a new user called andrew, obviously replace andrew with suitable username:
The process asks several questions, starting with the account password. Enter a strong password and, optionally, fill in any of the additional information if you would like. These fields are optional, and you can hit ENTER to skip or accept the default for each the question.
If you set up the root account to accept public keys you may want to use the same key with your normal account. Instead of manually creating the .ssh folder and authorised_keys file in the new home directory run the following:
rsync --archive --chown=andrew:andrew ~/.ssh /home/andrew
The above command uses the Rsync tool to copy the root user's .ssh directory, preserve the file permissions, and modify the file owners (so your user can read the file), all in a single command.
Step 3 — Granting Administrative Privileges
Now we have a new user account with regular account privileges. However, this account should be used to complete tasks which require temporary root or elevated privileges. We can grant what is known as "superuser" or root privileges. This allows our normal user to execute commands with administrative privileges by putting the word sudo before each command.
To add these privileges to the user account, the account needs to be in the sudo group. As root, run this command to add your new user to the sudo group (substitute andrew with your new user):
usermod -aG sudo andrew
Now, exit out of the ssh session and log on with your user:
ssh [email protected]<IP address/hostname>
You should be able to log on. To test your user has sudo access, run:
You will be prompted for your password. If nothing comes back you have got sudo privileges working.
Step 4 — Setting Up a Basic Firewall
Next, we are going to install a firewall to improve security. UFW firewall is an excellent choice as it is far easier to configure than IPTables. We can use the firewall to make sure only the connections to SSH and web server are allowed.
Although we have configured our user to use sudo, there are times when it is more efficient to switch to the root user, this is especially true when you are running a long list of commands, and you don't want to have to input sudo in front of each one.
To switch to root, type:
Now we are root, run the following command to install and configure UFW:
apt install ufw -y && ufw allow 80/tcp && ufw allow 443/tcp && ufw allow 22/tcp
The above command uses apt to install the UFW firewall and then set the firewall to allow incoming traffic on ports 22 (SSH), 80 (HTTP) & 443 (HTTPS) only. Traffic to all other ports is then dropped.
Finally run the following to enable UFW:
ufw logging medium && ufw default deny incoming && ufw enable && service ufw restart
Step 5 — Setting Up Fail2Ban
Fail2Ban is a basic Intrusion Detection System which monitors the Ubuntu server logs for attempts to connect to the server and automatically blocks the IP if too many failed attempts are made. This will stop any body from trying to brute-force access to your server.
To install simply run
sudo apt update && sudo apt install fail2ban -y
Fail2Ban is automatically installed and set up to monitor SSH without any further configuration. You can run commands to check the status by using fail2ban-client.
To check the status, run the following:
sudo fail2ban-client status sshd
The output will look like:
Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 44 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 4 `- Banned IP list:
That is it. At this point, you have a solid foundation for your server. You have a basic Linux server set up with a standard user, firewall and IDS set up to monitor SSH traffic.