Ubuntu Server 16.04, also named Xenial Xerus, has been released by Canonical and it’s now ready for installation.
The details about this new LTS version can be found on the previous article: How to upgrade Ubuntu 15.10 to 16.04.
This topic will guide you on how you can install Ubuntu 16.04 Server Edition with Long Time Support on your machine.
If you’re looking for Desktop Edition, read our previous article: Installation of Ubuntu 16.04 Desktop
Requirements
Install Ubuntu 16.04 Server Edition
1. On the first step visit the above link and download the latest version of Ubuntu Server ISO image on your computer.
Once the image download completes, burn it to a CD or create a bootable USB disk using Unbootin (for BIOS machines) or Rufus (for UEFI machines).
2. Place the bootable media intro the appropriate drive, start-up the machine and instruct the BIOS/UEFI by pressing a special function key (F2, F11, F12) to boot-up from the inserted USB/CD drive.
In a few seconds you will be presented with the first screen of Ubuntu installer. Select your language to perform the installation and hit Enter key to move to the next screen.
Choose Ubuntu 16.04 Server Installation Language
3. Next, select the first option, Install Ubuntu Server and press Enter key to continue.
Install Ubuntu 16.04 Server
4. Select the language you with to install the system and press Enter again to continue further.
Select Language for Ubuntu 16.04 Server
5. On the next series of screen choose your physical location from the presented list. If your location is different than the ones offered on the first screen, select other and hit Enter key, then select the location based on your continent and country. This location will be also used by the timezone system variable. Use the below screenshots as a guide.
Choose Location for Ubuntu 16.04 Server
Select Country Region
Select Area Location
6. Assign the locales and keyboard settings for your system as illustrated below and hit Enter to continue the installation setup.
Configure Locales
Configure Keyboard Layout
7. The installer will load a series of additional components required for the next steps and will automatically configure your network settings in case you have a DHCP server on the LAN.
Because this installation is intended for a server it’s a good idea to setup a static IP address for your network interface.
To do this you can interrupt the automatic network configuration process by pressing on Cancel or once the installer reaches hostname phase you can hit on Go Back and choose to Configure network manually.
Set Ubuntu 16.04 Hostname
Configure Network Manually
8. Enter your network settings accordingly (IP Address, netmask, gateway and at least two DNS nameservers) as illustrated on the below images.
Set Static IP Address on Ubuntu 16.04
Configure Network Mask for Ubuntu 16.04
Configure Network Gateway for Ubuntu 16.04
Configure Network DNS on Ubuntu 16.04
9. On the next step setup a descriptive hostname for your machine and a domain (not necessary required) and hit on Continue to move to the next screen. This step concludes the network settings.
Set Ubuntu 16.04 Server Hostname
Set Ubuntu 16.04 Domain Name
10. On this step the installer prompts you to setup a username and a password for your system. This username will be granted by the system with sudo powers, so, technically, this user will be the supreme administrator next to root account (which is disabled by default).
Thus, choose an inspired username, maybe hard to guess for security reasons, with a strong password and hit on Continue. Choose not to encrypt your home directory and press Enter to continue further.
Setup User and Password
11. Next, the installer will automatically set your clock based on the physical location configured earlier. In case the location is correctly chosen hit on Yes to continue to disk partition layout.
Configure System Clock
12. On the next step you can choose the method that will be used to slice up your disk. For instance, if you need to create custom partition scheme (such as /home, /var, /boot etc) choose Manual method.
For a general purpose server you can stick to Guided with LVM method as illustrated below, which automatically creates the partitions on your behalf.
Select Partition Method
13. Next, select the disk that will be used by the installer to create partitions and press Enter key.
Select Disk Partition
14. Answer with Yes at the next screen in order to commit changes to disk with LVM scheme and hit on Continue to use the entire disk space for guided partitions.
Add Disk Partition Size
Confirm Disk Partition Changes
15. Finally, approve for the last time the changes to be written to disk by pressing on Yes and the installation will now begin. From this step on all the changes will be committed to disk.
Confirm Disk Partition Changes
Installing Ubuntu 16.04 Server
16. In case your system is behind a proxy or a firewall use the next screen to bypass the network restrictions, otherwise just leave it black and hit on Continue.
Configure System Package Manager
17. Next, the installer will configure apt repositories and will install the selected software. After it finishes the installation tasks a new screen will appear which will ask you how to manage the upgrade process. Select Noautomatic updates for now (you will manually select what updates are necessary) and hit Enter key to continue.
Manage Ubuntu 16.04 Upgrades
18. On the next step you will be asked to select what software to install. Select only standard system utilities and OpenSSH server (if you require remote access) by pressing the spacebar key and hit on Continue.
System Software Selection
19. Once the installer finishes installing the software, a new screen will prompt you whether to install the Grubboot loader to hard disk MBR (first 512 byte sector). Obviously without the GRUB you can’t boot up your system after restart, so hit on Yes to continue with the installation.
Install Grub Boot Loader
20. Finally, after the boot loader is written to Hard Disk MBR, the installation process finishes. Hit on Continue to reboot the machine and remove the installation media.
Finish Ubuntu 16.04 Server Installation
21. After reboot, login to your system console using the credentials configured during the installation process and you’re good to go on production with your server.
Ubuntu 16.04 Server Login Prompt
That’s all! Keep in mind that this version of Ubuntu has official maintenance support from Canonical until 2021for hardware, bugs, software and security updates.
Initial Ubuntu Server Setup for Beginners
This tutorial will guide you on the first basic steps you need to configure on a new installed Ubuntu server in order to increase security and reliability for your server.
The configurations explained in this topic are almost the same for all Ubuntu server systems, regarding of the underlying OS platform, whether Ubuntu is installed on a bare-metal server, in a private virtual machine or a virtual machine spinned-out in a VPS public cloud.
Requirements
Update and Upgrade Ubuntu System
The first step you need to take care of in case of fresh installation of Ubuntu server or a new deployed Ubuntu VPS is to make sure the system and all system components, such as the kernel, the package manager and all other installed packages are up-to-date with the latest released versions and security patches.
To update Ubuntu server, to log in to server’s console with an account with root privileges or directly as root and run the below commands in order to perform the update and upgrade process.
$ sudo apt update
Update Ubuntu Server
After running the update command, you will see the number of available packages for upgrading process and the command used for listing the packages upgrades.
$ sudo apt list --upgradable
List Upgrade Ubuntu Packages
After you’ve consulted the list of packages available for upgrading, issue the below command to start system upgrade process.
$ sudo apt upgrade
Upgrade Ubuntu Server Packages
In order to remove all locally downloaded deb packages and all other apt-get caches, execute the below command.
$ sudo apt autoremove $ sudo apt clean
Autoremove APT Packages and Cache
Create New Account in Ubuntu
By default, as a security measure, the root account is completely disabled in Ubuntu. In order to create a new account on the system, log in to the system with the account user with root privileges and create a new account with the below command.
This new account will be granted with root powers privileges via sudo command and will be used to perform administrative tasks in the system. Make sure you setup a strong password to protect this account. Follow the adduser prompt to setup the user details and password.
$ sudo adduser ubuntu_user
Create User in Ubuntu
If this account will be assigned to another system admin, you can force the user to change its password at the first log in attempt by issuing the following command.
$ sudo chage -d0 ubuntu_user
For now, the new added user cannot perform administrative tasks via sudo utility. To grant this new user account with administrative privileges you should add the user to “sudo” system group by issuing the below command.
$ sudo usermod -a -G sudo ubuntu_user
By default, all users belonging to the “sudo” group are allowed to execute commands with root privileges via sudo utility. Sudo command must be used before writing the command needed for execution, as shown in the below example.
$ sudo apt install package_name
Test if the new user has the root privileges granted, by logging in to the system and run the apt updatecommand prefixed with sudo.
$ su - ubuntu_user $ sudo apt update
Verify New User
Configure System Hostname in Ubuntu
Usually, the machine hostname is set-up during the system installation process or when the VPS is created in the cloud. However, you should change the name of your machine in order to better reflect the destination of your server or to better describe its final purpose.
In a large company, machines are named after complex naming schemes in order to easily identify the machine in datacenter’s racks. For instance, if your Ubuntu machine will operate a mail server, the name of the machine should reflect this fact and you can setup machine hostname as mx01.mydomain.lan, for example.
To show details about your machine hostname run the following command.
$ hostnamectl
In order to change the name of your machine, issue hostnamectl command with the new name you will configure for your machine, as illustrated in the below excerpt.
$ sudo hostnamectl set-hostname tecmint
Verify the new name of your system with one of the below commands.
$ hostname $ hostname -s $ cat /etc/hostname
Set Hostname in Ubuntu Server
Setup SSH with Public Key Authentication in Ubuntu
To increase system security degree of an Ubuntu server, you should set-up SSH public key authentication for an local account. In order to generate SSH Key Pair, the public and private key, with a specifying a key length, such as 2048 bits, execute the following command at your server console.
Make sure you’re logged in to the system with the user you’re setting up the SSH key.
$ su - ubuntu_user $ ssh-keygen -t RSA -b 2048
Setup SSH Keys in Ubuntu
While the key is generated, you will be prompted to add passphrase in order to secure the key. You can enter a strong passphrase or choose to leave the passphrase blank if you want to automate tasks via SSH server.
After the SSH key has been generated, you can copy the public key to a remote server by executing the below command. To install the public key to the remote SSH server you will need a remote user account with the proper permissions and credentials to log in to remote server.
$ ssh-copy-id remote_user@remote_server
Copy SSH Key to Remote Server
You should be able to automatically log in via SSH to the remote server using the public key authentication method. You won’t need to add the remote user password while using SSH public key authentication.
After you’ve logged in to the remote server, you can start to execute commands, such as w command to list ssh remote logged in users, as shown in the below screenshot.
Type exit in the console to close the remote SSH session.
$ ssh remote_user@remote_server $ w $ exit
Verify SSH Passwordless Login
To see the content of your public SSH key in order to manually install the key to a remote SSH server, issue the following command.
$ cat ~/.ssh/id_rsa.pub
View SSH Key
Secure SSH Server in Ubuntu
In order to secure the SSH daemon you should change the default SSH port number from 22 to a random port, higher than 1024, and disallow remote SSH access to the root account via password or key, by opening SSH server main configuration file and make the following changes.
$ sudo vi /etc/ssh/sshd_config
First, search the commented line #Port22 and add a new line underneath (replace the listening port number accordingly):
Port 2345
Don’t close the file, scroll down and search for the line #PermitRootLogin yes, uncomment the line by removing the # sign (hashtag) from the beginning of the line and modify the line to look like shown in the below excerpt.
PermitRootLogin no
Secure SSH Service
Afterwards, restart the SSH server to apply the new settings and test the configuration by trying to log in from a remote machine to this server with the root account via the new port number. The access to root account via SSH should be restricted.
$ sudo systemctl restart sshd
Also, run netstat or ss command and filter the output via grep in order to show the new listening port number for SSH server.
$ sudo ss -tlpn| grep ssh $ sudo netstat -tlpn| grep ssh
Verify SSH Port
There are situations where you might want to automatically disconnect all remote SSH connections established into your server after a period of inactivity.
In order to enable this feature, execute the below command, which adds the TMOUT bash variable to your account .bashrc hidden file and forces every SSH connection made with the name of the user to be disconnected or dropped-out after 5 minutes of inactivity.
$ echo 'TMOUT=300' >> .bashrc
Run tail command to check if the variable has been correctly added at the end of .bashrc file. All subsequent SSH connections will be automatically closed after 5 minutes of inactivity from now on.
$ tail .bashrc
In the below screenshot, the remote SSH session from drupal machine to Ubuntu server via ubuntu_user account has been timed out and auto-logout after 5 minutes.
Auto Disconnect SSH Sessions
Configure Ubuntu Firewall UFW
Every server needs a well configured firewall in order to secure the system at network level. Ubuntu server uses UFW application to manage the iptables rules on the server.
Check the status of UFW firewall application in Ubuntu by issuing the below commands.
$ sudo systemctl status ufw $ sudo ufw status
Check UFW Firewall Status
Usually, the UFW firewall daemon is up and running in Ubuntu server, but the rules are not applied by default. Before enabling UFW firewall policy in you system, first you should add a new rule to allow SSH traffic to pass through firewall via the changed SSH port. The rule can be added by executing the below command.
$ sudo ufw allow 2345/tcp
After you’ve allowed SSH traffic, you can enable and check UFW firewall application with the following commands.
$ sudo ufw enable $ sudo ufw status
Open SSH Port and Verify
To add new firewall rules for other network services subsequently installed on your server, such as HTTP server, a mail server or other network services, use the below firewall commands examples as guide.
$ sudo ufw allow http #allow http traffic $ sudo ufw allow proto tcp from any to any port 25,443 # allow https and smtp traffic
To list all firewall rules run the below command.
$ sudo ufw status verbose
Check UFW Firewall Rules
Set Ubuntu Server Time
To control or query Ubuntu server clock and other related time settings, execute timedatectl command with no argument.
In order to change your server’s time zone settings, first execute timedatectl command with list-timezones argument to list all available time zones and, then, set the time zone of your system as shown in the below excerpt.
$ sudo timedatectl $ sudo timedatectl list-timezones $ sudo timedatectl set-timezone Europe/Vienna
Set Ubuntu Timezone
The new systemd-timesyncd systemd daemon client can be utilized in Ubuntu in order to provide an accurate time for your server across network and synchronize time with an upper time peer server.
To apply this new feature of Systemd, modify systemd-timesyncd daemon configuration file and add the closest geographically NTP servers to NTP statement line, as shown in the below file excerpt:
$ sudo nano /etc/systemd/timesyncd.conf
Add following configuration to timesyncd.conf file:
[Time] NTP=0.pool.ntp.org 1.pool.ntp.org FallbackNTP=ntp.ubuntu.com
NTP Time Configuration
To add your nearest geographically NTP servers, consult the NTP pool project server list at the following address: http://www.pool.ntp.org/en/
Afterwards, restart the Systemd timesync daemon to reflect changes and check daemon status by running the below commands. After restart, the daemon will start to sync time with the new ntp server peer.
$ sudo systemctl restart systemd-timesyncd.service $ sudo systemctl status systemd-timesyncd.service
Start TimeSyncd Service
Disable and Remove Unneeded Services in Ubuntu
In order to get a list of all TCP and UDP network services up-and-running by default in your Ubuntu server, execute the ss or netstat command.
$ sudo netstat -tulpn OR $ sudo ss -tulpn
List All Running Services
Staring with Ubuntu 16.10 release, the default DNS resolver is now controlled by systemd-resolved service, as revealed by the output of netstat or ss commands.
You should also check the systemd-resolved service status by running the following command.
$ sudo systemctl status systemd-resolved.service
Check Systemd Resolved Status
The systemd-resolved service binds on all enabled network interfaces and listens on ports 53 and 5355 TCPand UDP.
Running system-resolved caching DNS daemon on a production server can be dangerous due to the numerous number of DDOS attacks performed by malicious hackers against unsecured DNS servers.
In order to stop and disable this service, execute the following commands.
$ sudo systemctl stop systemd-resolved $ sudo systemctl disable systemd-resolved
Disable Systemd Resolved Service
Verify if the service has been stopped and disabled by issuing ss or netstat command. The systemd-resolved listening ports, 53 and 5355 TCP and UDP, should not be listed in netstat or ss command output, as illustrated in the below.
You should also reboot the machine in order to completely disable all systemd-resolved daemon services and restore the default /etc/resolv.conf file.
$ sudo ss -tulpn $ sudo netstat -tulpn $ sudo systemctl reboot
Verify All Running Services
Although, you’ve disabled some unwanted networking services to run in your server, there are also other services installed and running in your system, such as lxc process and snapd service. These services can be easily detected via ps, top or pstree commands.
$ sudo ps aux $ sudo top $ sudo pstree
List Running Services in Tree Format
In case you’re not going to use LXC container virtualization in your server or start installing software packaged via Snap package manager, you should completely disable and remove these services, by issuing the below commands.
$ sudo apt autoremove --purge lxc-common lxcfs $ sudo apt autoremove --purge snapd
That’s all! Now, Ubuntu server is now prepared for installing additional software needed for custom network services or applications, such as installing and configuring a web server, a database server, a file share service or other specific applications.