Installation of Ubuntu 16.04 Server Edition and Initial Ubuntu Server Setup

Ubuntu Server 16.04, also named Xenial Xerus, has been released by Canonical and it’s now ready for installation.

The details about this new LTS version can be found on the previous article: How to upgrade Ubuntu 15.10 to 16.04.

This topic will guide you on how you can install Ubuntu 16.04 Server Edition with Long Time Support on your machine.

If you’re looking for Desktop Edition, read our previous article: Installation of Ubuntu 16.04 Desktop

Requirements

  1. Ubuntu 16.04 Server ISO Image

Install Ubuntu 16.04 Server Edition

1. On the first step visit the above link and download the latest version of Ubuntu Server ISO image on your computer.

Once the image download completes, burn it to a CD or create a bootable USB disk using Unbootin (for BIOS machines) or Rufus (for UEFI machines).

2. Place the bootable media intro the appropriate drive, start-up the machine and instruct the BIOS/UEFI by pressing a special function key (F2F11F12) to boot-up from the inserted USB/CD drive.

In a few seconds you will be presented with the first screen of Ubuntu installer. Select your language to perform the installation and hit Enter key to move to the next screen.

Choose Ubuntu 16.04 Server Installation Language

Choose Ubuntu 16.04 Server Installation Language

3. Next, select the first option, Install Ubuntu Server and press Enter key to continue.

Install Ubuntu 16.04 Server

Install Ubuntu 16.04 Server

4. Select the language you with to install the system and press Enter again to continue further.

Select Language for Ubuntu 16.04 Server

Select Language for Ubuntu 16.04 Server

5. On the next series of screen choose your physical location from the presented list. If your location is different than the ones offered on the first screen, select other and hit Enter key, then select the location based on your continent and country. This location will be also used by the timezone system variable. Use the below screenshots as a guide.

Choose Location for Ubuntu 16.04 Server

Choose Location for Ubuntu 16.04 Server

Select Country Region

Select Country Region

Select Area Location

Select Area Location

6. Assign the locales and keyboard settings for your system as illustrated below and hit Enter to continue the installation setup.

Configure Locales

Configure Locales

Configure Keyboard Layout

Configure Keyboard Layout

7. The installer will load a series of additional components required for the next steps and will automatically configure your network settings in case you have a DHCP server on the LAN.

Because this installation is intended for a server it’s a good idea to setup a static IP address for your network interface.

To do this you can interrupt the automatic network configuration process by pressing on Cancel or once the installer reaches hostname phase you can hit on Go Back and choose to Configure network manually.

Set Ubuntu 16.04 Hostname

Set Ubuntu 16.04 Hostname

Configure Network Manually

Configure Network Manually

8. Enter your network settings accordingly (IP Address, netmask, gateway and at least two DNS nameservers) as illustrated on the below images.

Set Static IP Address on Ubuntu 16.04

Set Static IP Address on Ubuntu 16.04

Configure Network Mask for Ubuntu 16.04

Configure Network Mask for Ubuntu 16.04

Configure Network Gateway for Ubuntu 16.04

Configure Network Gateway for Ubuntu 16.04

Configure Network DNS on Ubuntu 16.04

Configure Network DNS on Ubuntu 16.04

9. On the next step setup a descriptive hostname for your machine and a domain (not necessary required) and hit on Continue to move to the next screen. This step concludes the network settings.

Set Ubuntu 16.04 Server Hostname

Set Ubuntu 16.04 Server Hostname

Set Ubuntu 16.04 Domain Name

Set Ubuntu 16.04 Domain Name

10. On this step the installer prompts you to setup a username and a password for your system. This username will be granted by the system with sudo powers, so, technically, this user will be the supreme administrator next to root account (which is disabled by default).

Thus, choose an inspired username, maybe hard to guess for security reasons, with a strong password and hit on Continue. Choose not to encrypt your home directory and press Enter to continue further.

Setup User and Password

Setup User and Password

11. Next, the installer will automatically set your clock based on the physical location configured earlier. In case the location is correctly chosen hit on Yes to continue to disk partition layout.

Configure System Clock

Configure System Clock

12. On the next step you can choose the method that will be used to slice up your disk. For instance, if you need to create custom partition scheme (such as /home/var/boot etc) choose Manual method.

For a general purpose server you can stick to Guided with LVM method as illustrated below, which automatically creates the partitions on your behalf.

Select Partition Method

Select Partition Method

13. Next, select the disk that will be used by the installer to create partitions and press Enter key.

Select Disk Partition

Select Disk Partition

14. Answer with Yes at the next screen in order to commit changes to disk with LVM scheme and hit on Continue to use the entire disk space for guided partitions.

Add Disk Partition Size

Add Disk Partition Size

Confirm Disk Partition Changes

Confirm Disk Partition Changes

15. Finally, approve for the last time the changes to be written to disk by pressing on Yes and the installation will now begin. From this step on all the changes will be committed to disk.

Confirm Disk Partition Changes

Confirm Disk Partition Changes

Installing Ubuntu 16.04 Server

Installing Ubuntu 16.04 Server

16. In case your system is behind a proxy or a firewall use the next screen to bypass the network restrictions, otherwise just leave it black and hit on Continue.

Configure System Package Manager

Configure System Package Manager

17. Next, the installer will configure apt repositories and will install the selected software. After it finishes the installation tasks a new screen will appear which will ask you how to manage the upgrade process. Select Noautomatic updates for now (you will manually select what updates are necessary) and hit Enter key to continue.

Manage Ubuntu 16.04 Upgrades

Manage Ubuntu 16.04 Upgrades

18. On the next step you will be asked to select what software to install. Select only standard system utilities and OpenSSH server (if you require remote access) by pressing the spacebar key and hit on Continue.

System Software Selection

System Software Selection

19. Once the installer finishes installing the software, a new screen will prompt you whether to install the Grubboot loader to hard disk MBR (first 512 byte sector). Obviously without the GRUB you can’t boot up your system after restart, so hit on Yes to continue with the installation.

Install Grub Boot Loader

Install Grub Boot Loader

20. Finally, after the boot loader is written to Hard Disk MBR, the installation process finishes. Hit on Continue to reboot the machine and remove the installation media.

Finish Ubuntu 16.04 Server Installation

Finish Ubuntu 16.04 Server Installation

21. After reboot, login to your system console using the credentials configured during the installation process and you’re good to go on production with your server.

Ubuntu 16.04 Server Login Prompt

Ubuntu 16.04 Server Login Prompt

That’s all! Keep in mind that this version of Ubuntu has official maintenance support from Canonical until 2021for hardware, bugs, software and security updates.

Initial Ubuntu Server Setup for Beginners

This tutorial will guide you on the first basic steps you need to configure on a new installed Ubuntu server in order to increase security and reliability for your server.

The configurations explained in this topic are almost the same for all Ubuntu server systems, regarding of the underlying OS platform, whether Ubuntu is installed on a bare-metal server, in a private virtual machine or a virtual machine spinned-out in a VPS public cloud.

Requirements

  1. Ubuntu Server Edition installation

Update and Upgrade Ubuntu System

The first step you need to take care of in case of fresh installation of Ubuntu server or a new deployed Ubuntu VPS is to make sure the system and all system components, such as the kernel, the package manager and all other installed packages are up-to-date with the latest released versions and security patches.

To update Ubuntu server, to log in to server’s console with an account with root privileges or directly as root and run the below commands in order to perform the update and upgrade process.

$ sudo apt update 

Update Ubuntu Server

Update Ubuntu Server

After running the update command, you will see the number of available packages for upgrading process and the command used for listing the packages upgrades.

$ sudo apt list --upgradable

List Upgrade Ubuntu Packages

List Upgrade Ubuntu Packages

After you’ve consulted the list of packages available for upgrading, issue the below command to start system upgrade process.

$ sudo apt upgrade

Upgrade Ubuntu Server Packages

Upgrade Ubuntu Server Packages

In order to remove all locally downloaded deb packages and all other apt-get caches, execute the below command.

$ sudo apt autoremove
$ sudo apt clean

Autoremove APT Packages and Cache

Autoremove APT Packages and Cache

Create New Account in Ubuntu

By default, as a security measure, the root account is completely disabled in Ubuntu. In order to create a new account on the system, log in to the system with the account user with root privileges and create a new account with the below command.

This new account will be granted with root powers privileges via sudo command and will be used to perform administrative tasks in the system. Make sure you setup a strong password to protect this account. Follow the adduser prompt to setup the user details and password.

$ sudo adduser ubuntu_user

Create User in Ubuntu

Create User in Ubuntu

If this account will be assigned to another system admin, you can force the user to change its password at the first log in attempt by issuing the following command.

$ sudo chage -d0 ubuntu_user

For now, the new added user cannot perform administrative tasks via sudo utility. To grant this new user account with administrative privileges you should add the user to “sudo” system group by issuing the below command.

$ sudo usermod -a -G sudo ubuntu_user

By default, all users belonging to the “sudo” group are allowed to execute commands with root privileges via sudo utility. Sudo command must be used before writing the command needed for execution, as shown in the below example.

$ sudo apt install package_name

Test if the new user has the root privileges granted, by logging in to the system and run the apt updatecommand prefixed with sudo.

$ su - ubuntu_user
$ sudo apt update

Verify New User

Verify New User

Configure System Hostname in Ubuntu

Usually, the machine hostname is set-up during the system installation process or when the VPS is created in the cloud. However, you should change the name of your machine in order to better reflect the destination of your server or to better describe its final purpose.

In a large company, machines are named after complex naming schemes in order to easily identify the machine in datacenter’s racks. For instance, if your Ubuntu machine will operate a mail server, the name of the machine should reflect this fact and you can setup machine hostname as mx01.mydomain.lan, for example.

To show details about your machine hostname run the following command.

$ hostnamectl

In order to change the name of your machine, issue hostnamectl command with the new name you will configure for your machine, as illustrated in the below excerpt.

$ sudo hostnamectl set-hostname tecmint

Verify the new name of your system with one of the below commands.

$ hostname
$ hostname -s
$ cat /etc/hostname 

Set Hostname in Ubuntu Server

Set Hostname in Ubuntu Server

Setup SSH with Public Key Authentication in Ubuntu

To increase system security degree of an Ubuntu server, you should set-up SSH public key authentication for an local account. In order to generate SSH Key Pair, the public and private key, with a specifying a key length, such as 2048 bits, execute the following command at your server console.

Make sure you’re logged in to the system with the user you’re setting up the SSH key.

$ su - ubuntu_user
$ ssh-keygen -t RSA -b 2048

Setup SSH Keys in Ubuntu

Setup SSH Keys in Ubuntu

While the key is generated, you will be prompted to add passphrase in order to secure the key. You can enter a strong passphrase or choose to leave the passphrase blank if you want to automate tasks via SSH server.

After the SSH key has been generated, you can copy the public key to a remote server by executing the below command. To install the public key to the remote SSH server you will need a remote user account with the proper permissions and credentials to log in to remote server.

$ ssh-copy-id remote_user@remote_server

Copy SSH Key to Remote Server

Copy SSH Key to Remote Server

You should be able to automatically log in via SSH to the remote server using the public key authentication method. You won’t need to add the remote user password while using SSH public key authentication.

After you’ve logged in to the remote server, you can start to execute commands, such as w command to list ssh remote logged in users, as shown in the below screenshot.

Type exit in the console to close the remote SSH session.

$ ssh remote_user@remote_server
$ w
$ exit

Verify SSH Passwordless Login

Verify SSH Passwordless Login

To see the content of your public SSH key in order to manually install the key to a remote SSH server, issue the following command.

$ cat ~/.ssh/id_rsa.pub

View SSH Key

View SSH Key

Secure SSH Server in Ubuntu

In order to secure the SSH daemon you should change the default SSH port number from 22 to a random port, higher than 1024, and disallow remote SSH access to the root account via password or key, by opening SSH server main configuration file and make the following changes.

$ sudo vi /etc/ssh/sshd_config

First, search the commented line #Port22 and add a new line underneath (replace the listening port number accordingly):

Port 2345

Don’t close the file, scroll down and search for the line #PermitRootLogin yes, uncomment the line by removing the # sign (hashtag) from the beginning of the line and modify the line to look like shown in the below excerpt.

PermitRootLogin no

Secure SSH Service

Secure SSH Service

Afterwards, restart the SSH server to apply the new settings and test the configuration by trying to log in from a remote machine to this server with the root account via the new port number. The access to root account via SSH should be restricted.

$ sudo systemctl restart sshd

Also, run netstat or ss command and filter the output via grep in order to show the new listening port number for SSH server.

$ sudo ss -tlpn| grep ssh
$ sudo netstat -tlpn| grep ssh

Verify SSH Port

Verify SSH Port

There are situations where you might want to automatically disconnect all remote SSH connections established into your server after a period of inactivity.

In order to enable this feature, execute the below command, which adds the TMOUT bash variable to your account .bashrc hidden file and forces every SSH connection made with the name of the user to be disconnected or dropped-out after 5 minutes of inactivity.

$ echo 'TMOUT=300' >> .bashrc

Run tail command to check if the variable has been correctly added at the end of .bashrc file. All subsequent SSH connections will be automatically closed after 5 minutes of inactivity from now on.

$ tail .bashrc

In the below screenshot, the remote SSH session from drupal machine to Ubuntu server via ubuntu_user account has been timed out and auto-logout after 5 minutes.

Auto Disconnect SSH Sessions

Auto Disconnect SSH Sessions

Configure Ubuntu Firewall UFW

Every server needs a well configured firewall in order to secure the system at network level. Ubuntu server uses UFW application to manage the iptables rules on the server.

Check the status of UFW firewall application in Ubuntu by issuing the below commands.

$ sudo systemctl status ufw
$ sudo ufw status

Check UFW Firewall Status

Check UFW Firewall Status

Usually, the UFW firewall daemon is up and running in Ubuntu server, but the rules are not applied by default. Before enabling UFW firewall policy in you system, first you should add a new rule to allow SSH traffic to pass through firewall via the changed SSH port. The rule can be added by executing the below command.

$ sudo ufw allow 2345/tcp

After you’ve allowed SSH traffic, you can enable and check UFW firewall application with the following commands.

$ sudo ufw enable
$ sudo ufw status

Open SSH Port and Verify

Open SSH Port and Verify

To add new firewall rules for other network services subsequently installed on your server, such as HTTP server, a mail server or other network services, use the below firewall commands examples as guide.

$ sudo ufw allow http  #allow http traffic
$ sudo ufw allow proto tcp from any to any port 25,443  # allow https and smtp traffic

To list all firewall rules run the below command.

$ sudo ufw status verbose

Check UFW Firewall Rules

Check UFW Firewall Rules

Set Ubuntu Server Time

To control or query Ubuntu server clock and other related time settings, execute timedatectl command with no argument.

In order to change your server’s time zone settings, first execute timedatectl command with list-timezones argument to list all available time zones and, then, set the time zone of your system as shown in the below excerpt.

$ sudo timedatectl 
$ sudo timedatectl list-timezones 
$ sudo timedatectl set-timezone Europe/Vienna

Set Ubuntu Timezone

Set Ubuntu Timezone

The new systemd-timesyncd systemd daemon client can be utilized in Ubuntu in order to provide an accurate time for your server across network and synchronize time with an upper time peer server.

To apply this new feature of Systemd, modify systemd-timesyncd daemon configuration file and add the closest geographically NTP servers to NTP statement line, as shown in the below file excerpt:

$ sudo nano /etc/systemd/timesyncd.conf

Add following configuration to timesyncd.conf file:

[Time]
NTP=0.pool.ntp.org 1.pool.ntp.org
FallbackNTP=ntp.ubuntu.com

NTP Time Configuration

NTP Time Configuration

To add your nearest geographically NTP servers, consult the NTP pool project server list at the following address: http://www.pool.ntp.org/en/

Afterwards, restart the Systemd timesync daemon to reflect changes and check daemon status by running the below commands. After restart, the daemon will start to sync time with the new ntp server peer.

$ sudo systemctl restart systemd-timesyncd.service 
$ sudo systemctl status systemd-timesyncd.service

Start TimeSyncd Service

Start TimeSyncd Service

Disable and Remove Unneeded Services in Ubuntu

In order to get a list of all TCP and UDP network services up-and-running by default in your Ubuntu server, execute the ss or netstat command.

$ sudo netstat -tulpn
OR
$ sudo ss -tulpn

List All Running Services

List All Running Services

Staring with Ubuntu 16.10 release, the default DNS resolver is now controlled by systemd-resolved service, as revealed by the output of netstat or ss commands.

You should also check the systemd-resolved service status by running the following command.

$ sudo systemctl status systemd-resolved.service

Check Systemd Resolved Status

Check Systemd Resolved Status

The systemd-resolved service binds on all enabled network interfaces and listens on ports 53 and 5355 TCPand UDP.

Running system-resolved caching DNS daemon on a production server can be dangerous due to the numerous number of DDOS attacks performed by malicious hackers against unsecured DNS servers.

In order to stop and disable this service, execute the following commands.

$ sudo systemctl stop systemd-resolved
$ sudo systemctl disable systemd-resolved

Disable Systemd Resolved Service

Disable Systemd Resolved Service

Verify if the service has been stopped and disabled by issuing ss or netstat command. The systemd-resolved listening ports, 53 and 5355 TCP and UDP, should not be listed in netstat or ss command output, as illustrated in the below.

You should also reboot the machine in order to completely disable all systemd-resolved daemon services and restore the default /etc/resolv.conf file.

$ sudo ss -tulpn
$ sudo netstat -tulpn
$ sudo systemctl reboot

Verify All Running Services

Verify All Running Services

Although, you’ve disabled some unwanted networking services to run in your server, there are also other services installed and running in your system, such as lxc process and snapd service. These services can be easily detected via pstop or pstree commands.

$ sudo ps aux
$ sudo top
$ sudo pstree

List Running Services in Tree Format

List Running Services in Tree Format

In case you’re not going to use LXC container virtualization in your server or start installing software packaged via Snap package manager, you should completely disable and remove these services, by issuing the below commands.

$ sudo apt autoremove --purge lxc-common lxcfs
$ sudo apt autoremove --purge snapd

That’s all! Now, Ubuntu server is now prepared for installing additional software needed for custom network services or applications, such as installing and configuring a web server, a database server, a file share service or other specific applications.

Source

Leave a Reply

Your email address will not be published. Required fields are marked *

WP2Social Auto Publish Powered By : XYZScripts.com