Ubuntu Server Setup

All the steps required to build an Ubuntu app server with SSH, Firewall, Nginx, SSL, Node, Postgres

Note: we will be using new user 'ifactory' to make it easier to copy and paste commands

1. Pre-Steps

Have a a PuttyGen Public .pub (uploaded to Ubuntu server) and Private.ppk (stored on your PC) SSH key setup.
Deploy an Ubuntu server on AWS, Azure, Digital Ocean, Linode, OVH or Australian dedicated/VPS provider.
Basic understanding of the nano editor: https://www.nano-editor.org/dist/latest/cheatsheet.html

CTRL-U paste
CTRL-O to save
CTRL-X to exit
CTRL-Z to minmise Nano then 'fg' to re-maximise

SSH into server with the root user created by cloud provider.

2. Update Server

Update Ubuntu packages.

$ apt update             [ inform server about lastest updates available ]
$ apt list --upgradeable [ returns a list of upgradable packages. run after: $ apt update ]
$ apt upgrade            [ Install latest updates ]

3. Set Server Hostname, IP and Domain

https://www.linode.com/docs/guides/getting-started/

Set the server hostname - its just a generic handle and not a domain name

$ hostnamectl set-hostname example-hostname     [ set hostname ]
$ hostnamectl status                            [ Check hostname is updated ]
$ nano /etc/hosts                               [ Edit hosts file ]

Add line in Nano editor and add server public IP and domain name:

203.0.113.10 example-hostname.example.com example-hostname

4. Set Server Timezone

$ timedatectl                   [ Show timezone info ]
$ dpkg-reconfigure tzdata       [ Set the timezone interactively ]

5. Security

install Fail2ban to limit failed SSH requests:

$ apt install fail2ban
$ cd /etc/fail2ban
$ cp jail.conf jail.local       [ Create a copy of config file. this wil be read automatically on service restart ]
$ nano jail.local               [ Open file in Nano editor ]

Uncomment and add to ignoreip office IP address, ban time, max retry etc.

[Sshd] 
enabled=true

Then write out file.

$ service fail2ban restart     [ Restart fail2ban for services to run. ]

Install Fail2Ban: https://www.linode.com/docs/guides/using-fail2ban-to-secure-your-server-a-tutorial/

6. Unattended Upgrades

$ apt install unattended-upgrades                 [ Install ]
$ systemctl enable unattended-upgrades            [ Enable ]
$ systemctl start unattended-upgrades             [ Start ]
$ nano /etc/apt/apt.conf.d/50unattended-upgrades  [ Set what to upgrade ]
$ nano /etc/apt/apt.conf.d/20auto-upgrades        [ Set when to upgrade ]
$ sudo unattended-upgrades --dry-run --debug      [ Confirm config ]

https://www.linode.com/docs/guides/how-to-configure-automated-security-updates-ubuntu/

7. Setup Firewall

Turn on firewall and open to HTTP, HTTPS, OpenSSH

$ ufw allow OpenSSH     [ Enable firewall to accept firewall connections OpenSSH over port 22 ]
$ ufw allow http        [ Allow http over port 80 ]
$ ufw allow https       [ Allow https over port 443 ]
$ sudo ufw allow from 119.18.38.68 to any port 5432   [ Allow Postgres port 5432 from iFactory office ]
$ sudo ufw allow from 118.88.24.53 to any port 465    [ Allow nodemailer to receive response from external mail host ]
$ ufw enable            [ Enable firewall ]
$ sudo ufw disable      [ Disable firewall ]
$ sudo ufw reload       [ Reload firewall rules ]

Additonal commands

$ ufw status verbose          [ show current firewall ]
$ ufw deny   [ deny a particular service or port ]
$ ufw status numbered         [ show rules with a number - use number to delete a rule ]
$ ufw delete          [ delete a port or service by its status rule number ]

https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands

https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04

https://www.linode.com/docs/security/securing-your-server/

8. Setup Non-Root User

Setup a non Root user, grant Sudo and open firewall to OpenSSH

$ adduser ifactory              [ Create new user 'ifactory' ]
$ usermod -aG sudo ifactory     [ Grant new user Sudo permssions ]

Related Commands:

$ less /etc/group               [ list all Ubuntu groups ]
  'q' to exit list
$ passwd ifactory               [ Set/change password for user 'ifactory' ]
$ groups ifactory               [ Show if a user exists and its groups e.g. sudo ssl-cert  ]
$ getent passwd | grep ifactory [ Search for a user ]

9. Add New Users SSH Key

Requires you have already created an ssh-rsa Public privata key pair using PuttyGen.

$ cd /home/ifactory
$ mkdir .ssh
$ touch .ssh/authorized_keys
$ nano .ssh/authorized_keys

https://www.digitalocean.com/community/questions/ubuntu-16-04-creating-new-user-and-adding-ssh-keys

10. Set Permissions on New User Home directory

$ chown -R ifactory:ifactory /home/ifactory/
$ chmod 700 /home/ifactory/.ssh
$ chmod 644 /home/ifactory/.ssh/authorized_keys

11. Setup Visual Studio Code SSH Access

Visual Studio Code (VS Code) can work off a remote development server with these steps:

In VS Code, install the Microsoft extension 'Remote - SSH'
If your SSH server access is with a PuttyGen .ppk key, you may need to convert to the OpenSSH fromat:

Open PuttyGen.
Load the .ppk key using 'Load' button.
Select from top navigation > Conversions > Export OpneSSH key ( force new file format ).
When prompted save file: my-ssh-key.open-ssh.ppk to differetiate from existing standard my-ssh-key.ppk.

In VS Code select the 'Remote Explorer' icon in side navigation and select '+' to add a new SSH target.

12. Disable SSH Password Authentication - OPTIONAL

It is safer to only allow SSH conections via a key and not a password. Before disabling password authentication, make sure that you either have SSH key-based authentication configured for the root account on this server, or preferably, that you have SSH key-based authentication configured for an account on this server with sudo access.

https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server

PreviousIntroduction NextSettings

Last updated 4 years ago

Was this helpful?