Disclaimer

This guide doesn't pretend to be production ready, but could shed some light and give a direction what to do. Nevertheless, it expects basic linux knowledge from a reader.

Intoduction

When you set up a box there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent actions.

Creating a new user

Because of the heightened privileges of the root account, we are discouraged from using it on a regular basis. Thus we are setting up an alternative user account with a reduced scope of influence for day-to-day work.

Connecting to your box

ssh root@remote_host

Creating a New User with a strong password

adduser new_user

Granting administrative privileges

usermod -aG sudo new_user

Note: Now, when logged in as your new_user, you can type sudo before commands to perform actions with superuser privileges.

Creating the RSA key pair

So far, so good, but we are still open for brute-force attacks To enhance your server’s security, it's strongly recommended setting up SSH keys instead of using password authentication

Generating key pair

# Host machine
ssh-keygen

Copying public key using ssh-copy-id

# Host machine
ssh-copy-id new_user@remote_host

or

# Host machine
ssh-copy-id -i ~/.ssh/id_rsa.pub new_user@remote_host

Alternative: copying public key manually The idea is to put a content of id_rsa.pub into the ~/.ssh/authorized_keys on the remotre box

# Host machine
cat ~/.ssh/id_rsa.pub
# Copy output

# Remote box
mkdir -p ~/.ssh
touch authorized_keys
nano authorized_keys
# Paste pub key you've copied from your local machine and save the authorized_keys file

Ensuring permissions set ~/.ssh directory and authorized_keys file should have the following perm set:

# Remote box
chmod -R go= ~/.ssh

Note: This recursively removes all “group” and “other” permissions for the ~/.ssh/ directory

Disabling password authentication on a remote box

sudo nano /etc/ssh/sshd_config

Inside the file, search for a directive called PasswordAuthentication. This may be commented out. Uncomment the line and set the value to “no”. Save and exit.

Applying changes To actually implement these changes, we need to restart the ssh service

sudo systemctl restart ssh

Note: As a precaution, open up a new terminal window and test that the SSH service is functioning correctly before closing this session: ssh new_user@remote_host

Settig up firewall

If your Ubuntu server has IPv6 enabled, ensure that UFW is configured to support IPv6 so that it will manage firewall rules for IPv6 in addition to IPv4

sudo nano /etc/default/ufw

# Then make sure the value of IPV6 is yes
IPV6=yes

Save and close the file

Setting up default policies

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allowing SSH connections

sudo ufw allow ssh
# sudo ufw allow 22

Enabling UFW

sudo ufw enable

Allowing other connections

Http

sudo ufw allow http
# sudo ufw allow 80

Https

sudo ufw allow https
# sudo ufw allow 443

Subnets

sudo ufw allow from 203.0.113.0/24
# from 203.0.113.1 to 203.0.113.254

Specific IP Address

sudo ufw allow from 203.0.113.4

Limiting number of connections 6 connections during 30 secs are allowed by default

sudo ufw limit ssh/tcp

Checking UFW status and rules

sudo ufw status verbose

Disabling/resetting UFW

sudo ufw disable
sudo ufw reset

Enabling UFW logs

sudo ufw logging on
# sudo ufw logging low
# sudo ufw logging medium
# sudo ufw logging high

Note: Logs are located in /var/log/ufw.log

Showing ports we are listening to

sudo ufw show listening

Resources

• Initial Server Setup with Ubuntu
• How to Set Up SSH Keys on Ubuntu
• How To Set Up a Firewall with UFW on Ubuntu