All the steps required to build an Ubuntu app server with SSH, Firewall, Nginx, SSL, Node, Postgres
Note: we will be using new user 'ifactory' to make it easier to copy and paste commands
1. Pre-Steps
Have a a PuttyGen Public .pub (uploaded to Ubuntu server) and Private.ppk (stored on your PC) SSH key setup.
Deploy an Ubuntu server on AWS, Azure, Digital Ocean, Linode, OVH or Australian dedicated/VPS provider.
Basic understanding of the nano editor:
CTRL-U paste
CTRL-O to save
CTRL-X to exit
CTRL-Z to minmise Nano then 'fg' to re-maximise
SSH into server with the root user created by cloud provider.
2. Update Server
Update Ubuntu packages.
$ apt update [ inform server about lastest updates available ]
$ apt list --upgradeable [ returns a list of upgradable packages. run after: $ apt update ]
$ apt upgrade [ Install latest updates ]
3. Set Server Hostname, IP and Domain
Set the server hostname - its just a generic handle and not a domain name
$ hostnamectl set-hostname example-hostname [ set hostname ]
$ hostnamectl status [ Check hostname is updated ]
$ nano /etc/hosts [ Edit hosts file ]
Add line in Nano editor and add server public IP and domain name:
$ timedatectl [ Show timezone info ]
$ dpkg-reconfigure tzdata [ Set the timezone interactively ]
5. Security
install Fail2ban to limit failed SSH requests:
$ apt install fail2ban
$ cd /etc/fail2ban
$ cp jail.conf jail.local [ Create a copy of config file. this wil be read automatically on service restart ]
$ nano jail.local [ Open file in Nano editor ]
Uncomment and add to ignoreip office IP address, ban time, max retry etc.
[Sshd]
enabled=true
Then write out file.
$ service fail2ban restart [ Restart fail2ban for services to run. ]
6. Unattended Upgrades
$ apt install unattended-upgrades [ Install ]
$ systemctl enable unattended-upgrades [ Enable ]
$ systemctl start unattended-upgrades [ Start ]
$ nano /etc/apt/apt.conf.d/50unattended-upgrades [ Set what to upgrade ]
$ nano /etc/apt/apt.conf.d/20auto-upgrades [ Set when to upgrade ]
$ sudo unattended-upgrades --dry-run --debug [ Confirm config ]
7. Setup Firewall
Turn on firewall and open to HTTP, HTTPS, OpenSSH
$ ufw allow OpenSSH [ Enable firewall to accept firewall connections OpenSSH over port 22 ]
$ ufw allow http [ Allow http over port 80 ]
$ ufw allow https [ Allow https over port 443 ]
$ sudo ufw allow from 119.18.38.68 to any port 5432 [ Allow Postgres port 5432 from iFactory office ]
$ sudo ufw allow from 118.88.24.53 to any port 465 [ Allow nodemailer to receive response from external mail host ]
$ ufw enable [ Enable firewall ]
$ sudo ufw disable [ Disable firewall ]
$ sudo ufw reload [ Reload firewall rules ]
Additonal commands
$ ufw status verbose [ show current firewall ]
$ ufw deny [ deny a particular service or port ]
$ ufw status numbered [ show rules with a number - use number to delete a rule ]
$ ufw delete [ delete a port or service by its status rule number ]
8. Setup Non-Root User
Setup a non Root user, grant Sudo and open firewall to OpenSSH
$ adduser ifactory [ Create new user 'ifactory' ]
$ usermod -aG sudo ifactory [ Grant new user Sudo permssions ]
Related Commands:
$ less /etc/group [ list all Ubuntu groups ]
'q' to exit list
$ passwd ifactory [ Set/change password for user 'ifactory' ]
$ groups ifactory [ Show if a user exists and its groups e.g. sudo ssl-cert ]
$ getent passwd | grep ifactory [ Search for a user ]
9. Add New Users SSH Key
Requires you have already created an ssh-rsa Public privata key pair using PuttyGen.
It is safer to only allow SSH conections via a key and not a password. Before disabling password authentication, make sure that you either have SSH key-based authentication configured for the root account on this server, or preferably, that you have SSH key-based authentication configured for an account on this server with sudo access.
