- \n
- Ubuntu Server Edition installation<\/a><\/li>\n<\/ol>\n
Update and Upgrade Ubuntu System<\/h3>\n
The first step you need to take care of in case of fresh installation of Ubuntu server or a new deployed Ubuntu VPS is to make sure the system and all system components, such as the kernel, the package manager and all other installed packages are up-to-date with the latest released versions and security patches.<\/p>\n
To update Ubuntu server, to log in to server\u2019s console with an account with root privileges or directly as root and run the below commands in order to perform the update and upgrade process.<\/p>\n
$ sudo apt update \r\n<\/pre>\n
\n![\"Update](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Update-Ubuntu-Server.png\")
<\/a><\/p>\nUpdate Ubuntu Server<\/p>\n
<\/p>\n<\/div>\n
After running the update command, you will see the number of available packages for upgrading process and the command used for listing the packages upgrades.<\/p>\n
$ sudo apt list --upgradable\r\n<\/pre>\n
\n![\"List](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Upgrade-Ubuntu-Server.png\")
<\/a><\/p>\nList Upgrade Ubuntu Packages<\/p>\n<\/div>\n
After you\u2019ve consulted the list of packages available for upgrading, issue the below command to start system upgrade process.<\/p>\n
$ sudo apt upgrade\r\n<\/pre>\n
\n![\"Upgrade](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Upgrade-Ubuntu-Server-Packages.png\")
<\/a><\/p>\nUpgrade Ubuntu Server Packages<\/p>\n<\/div>\n
In order to remove all locally downloaded deb packages and all other\u00a0apt-get caches<\/a>, execute the below command.<\/p>\n
$ sudo apt autoremove\r\n$ sudo apt clean\r\n<\/pre>\n
\n![\"Autoremove](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Autoremove-APT-Packages-and-Cache.png\")
<\/a><\/p>\nAutoremove APT Packages and Cache<\/p>\n<\/div>\n
Create New Account in Ubuntu<\/h3>\n
By default, as a security measure, the root account is completely disabled in Ubuntu. In order to create a new account on the system, log in to the system with the account user with root privileges and create a new account with the below command.<\/p>\n
This new account will be granted with root powers privileges via\u00a0sudo command<\/a>\u00a0and will be used to perform administrative tasks in the system. Make sure you setup a strong password to protect this account. Follow the\u00a0adduser<\/strong>\u00a0prompt to setup the user details and password.<\/p>\n
$ sudo adduser ubuntu_user\r\n<\/pre>\n
\n![\"Create](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Create-User-in-Ubuntu.png\")
<\/a><\/p>\nCreate User in Ubuntu<\/p>\n<\/div>\n
If this account will be assigned to another system admin, you can force the user to change its password at the first log in attempt by issuing the following command.<\/p>\n
$ sudo chage -d0 ubuntu_user\r\n<\/pre>\n
For now, the new added user cannot perform administrative tasks via sudo utility. To grant this new user account with administrative privileges you should add the user to \u201csudo<\/strong>\u201d system group by issuing the below command.<\/p>\n
$ sudo usermod -a -G sudo ubuntu_user\r\n<\/pre>\n
By default, all users belonging to the \u201csudo<\/strong>\u201d group are allowed to execute commands with root privileges via\u00a0sudo utility<\/a>. Sudo command must be used before writing the command needed for execution, as shown in the below example.<\/p>\n
$ sudo apt install package_name\r\n<\/pre>\n
Test if the new user has the root privileges granted, by logging in to the system and run the\u00a0apt update<\/strong>command prefixed with sudo.<\/p>\n
$ su - ubuntu_user\r\n$ sudo apt update\r\n<\/pre>\n
\n![\"Verify](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Verify-New-User.png\")
<\/a><\/p>\nVerify New User<\/p>\n<\/div>\n
Configure System Hostname in Ubuntu<\/h3>\n
Usually, the machine hostname is set-up during the system installation process or when the VPS is created in the cloud. However, you should change the name of your machine in order to better reflect the destination of your server or to better describe its final purpose.<\/p>\n
In a large company, machines are named after complex naming schemes in order to easily identify the machine in datacenter\u2019s racks. For instance, if your Ubuntu machine will operate a mail server, the name of the machine should reflect this fact and you can setup machine hostname as\u00a0mx01.mydomain.lan<\/strong>, for example.<\/p>\n
To show details about your machine hostname run the following command.<\/p>\n
$ hostnamectl\r\n<\/pre>\n
In order to change the name of your machine, issue\u00a0hostnamectl command<\/strong>\u00a0with the new name you will configure for your machine, as illustrated in the below excerpt.<\/p>\n
$ sudo hostnamectl set-hostname tecmint\r\n<\/pre>\n
Verify the new name of your system with one of the below commands.<\/p>\n
$ hostname\r\n$ hostname -s\r\n$ cat \/etc\/hostname \r\n<\/pre>\n
\n![\"Set](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Set-Hostname-in-Ubuntu-Server.png\")
<\/a><\/p>\nSet Hostname in Ubuntu Server<\/p>\n<\/div>\n
Setup SSH with Public Key Authentication in Ubuntu<\/h3>\n
To increase system security degree of an Ubuntu server, you should set-up SSH public key authentication for an local account. In order to generate SSH Key Pair, the public and private key, with a specifying a key length, such as 2048 bits, execute the following command at your server console.<\/p>\n
Make sure you\u2019re logged in to the system with the user you\u2019re setting up the SSH key.<\/p>\n
$ su - ubuntu_user\r\n$ ssh-keygen -t RSA -b 2048\r\n<\/pre>\n
\n![\"Setup](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Setup-SSH-Keys-in-Ubuntu.png\")
<\/a><\/p>\nSetup SSH Keys in Ubuntu<\/p>\n<\/div>\n
While the key is generated, you will be prompted to add\u00a0passphrase<\/strong>\u00a0in order to secure the key. You can enter a strong passphrase or choose to leave the passphrase blank if you want to automate tasks via SSH server.<\/p>\n
After the SSH key has been generated, you can copy the public key to a remote server by executing the below command. To install the public key to the remote SSH server you will need a remote user account with the proper permissions and credentials to log in to remote server.<\/p>\n
$ ssh-copy-id remote_user@remote_server\r\n<\/pre>\n
\n![\"Copy](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Copy-SSH-Key-to-Remote-Server.png\")
<\/a><\/p>\nCopy SSH Key to Remote Server<\/p>\n<\/div>\n
You should be able to automatically log in via SSH to the remote server using the public key authentication method. You won\u2019t need to add the remote user password while using SSH public key authentication.<\/p>\n
After you\u2019ve logged in to the remote server, you can start to execute commands, such as\u00a0w command<\/strong>\u00a0to list ssh remote logged in users, as shown in the below screenshot.<\/p>\n
Type exit in the console to close the remote SSH session.<\/p>\n
$ ssh remote_user@remote_server\r\n$ w\r\n$ exit\r\n<\/pre>\n
\n![\"Verify](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Verify-SSH-Passwordless-Login.png\")
<\/a><\/p>\nVerify SSH Passwordless Login<\/p>\n<\/div>\n
To see the content of your public SSH key in order to manually install the key to a remote SSH server, issue the following command.<\/p>\n
$ cat ~\/.ssh\/id_rsa.pub\r\n<\/pre>\n
\n![\"View](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/View-SSH-Key.png\")
<\/a><\/p>\nView SSH Key<\/p>\n<\/div>\n
Secure SSH Server in Ubuntu<\/h3>\n
In order to secure the SSH daemon you should change the default SSH port number from\u00a022<\/strong>\u00a0to a random port, higher than\u00a01024<\/strong>, and disallow remote SSH access to the root account via password or key, by opening SSH server main configuration file and make the following changes.<\/p>\n
$ sudo vi \/etc\/ssh\/sshd_config\r\n<\/pre>\n
First, search the commented line\u00a0#Port22<\/strong>\u00a0and add a new line underneath (replace the listening port number accordingly):<\/p>\n
Port 2345\r\n<\/pre>\n
Don\u2019t close the file, scroll down and search for the line\u00a0#PermitRootLogin yes<\/strong>, uncomment the line by removing the\u00a0#<\/strong>\u00a0sign (hashtag) from the beginning of the line and modify the line to look like shown in the below excerpt.<\/p>\n
PermitRootLogin no\r\n<\/pre>\n
\n![\"Secure](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Secure-SSH-Service.png\")
<\/a><\/p>\nSecure SSH Service<\/p>\n<\/div>\n
Afterwards, restart the SSH server to apply the new settings and test the configuration by trying to log in from a remote machine to this server with the root account via the new port number. The access to root account via SSH should be restricted.<\/p>\n
$ sudo systemctl restart sshd\r\n<\/pre>\n
Also, run\u00a0netstat<\/a>\u00a0or\u00a0ss command<\/strong>\u00a0and filter the output via\u00a0grep<\/a>\u00a0in order to show the new listening port number for SSH server.<\/p>\n
$ sudo ss -tlpn| grep ssh\r\n$ sudo netstat -tlpn| grep ssh\r\n<\/pre>\n
\n![\"Verify](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Verify-SSH-Port.png\")
<\/a><\/p>\nVerify SSH Port<\/p>\n<\/div>\n
There are situations where you might want to automatically\u00a0disconnect all remote SSH connections<\/a>\u00a0established into your server after a period of inactivity.<\/p>\n
In order to enable this feature, execute the below command, which adds the\u00a0TMOUT<\/strong>\u00a0bash variable to your account\u00a0.bashrc<\/strong>\u00a0hidden file and forces every SSH connection made with the name of the user to be disconnected or dropped-out after 5 minutes of inactivity.<\/p>\n
$ echo 'TMOUT=300' >> .bashrc\r\n<\/pre>\n
Run\u00a0tail command<\/a>\u00a0to check if the variable has been correctly added at the end of\u00a0.bashrc<\/strong>\u00a0file. All subsequent SSH connections will be automatically closed after 5 minutes of inactivity from now on.<\/p>\n
$ tail .bashrc\r\n<\/pre>\n
In the below screenshot, the remote SSH session from drupal machine to Ubuntu server via ubuntu_user account has been timed out and auto-logout after 5 minutes.<\/p>\n
\n![\"Auto](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Auto-Disconnect-SSH-Sessions.png\")
<\/a><\/p>\nAuto Disconnect SSH Sessions<\/p>\n<\/div>\n
Configure Ubuntu Firewall UFW<\/h3>\n
Every server needs a well configured firewall in order to secure the system at network level. Ubuntu server uses\u00a0UFW<\/strong>\u00a0application to manage the iptables rules on the server.<\/p>\n
Check the status of UFW firewall application in Ubuntu by issuing the below commands.<\/p>\n
$ sudo systemctl status ufw\r\n$ sudo ufw status\r\n<\/pre>\n
\n![\"Check](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Check-UFW-Firewall-Status.png\")
<\/a><\/p>\nCheck UFW Firewall Status<\/p>\n<\/div>\n
Usually, the UFW firewall daemon is up and running in Ubuntu server, but the rules are not applied by default. Before enabling UFW firewall policy in you system, first you should add a new rule to allow SSH traffic to pass through firewall via the changed SSH port. The rule can be added by executing the below command.<\/p>\n
$ sudo ufw allow 2345\/tcp\r\n<\/pre>\n
After you\u2019ve allowed SSH traffic, you can enable and check UFW firewall application with the following commands.<\/p>\n
$ sudo ufw enable\r\n$ sudo ufw status\r\n<\/pre>\n
\n![\"Open](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Open-SSH-Port-and-Verify.png\")
<\/a><\/p>\nOpen SSH Port and Verify<\/p>\n<\/div>\n
To add new firewall rules for other network services subsequently installed on your server, such as HTTP server, a mail server or other network services, use the below firewall commands examples as guide.<\/p>\n
$ sudo ufw allow http #allow http traffic\r\n$ sudo ufw allow proto tcp from any to any port 25,443 # allow https and smtp traffic\r\n<\/pre>\n
To list all firewall rules run the below command.<\/p>\n
$ sudo ufw status verbose\r\n<\/pre>\n
\n![\"Check](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Check-UFW-Firewall-Rules.png\")
<\/a><\/p>\nCheck UFW Firewall Rules<\/p>\n<\/div>\n
Set Ubuntu Server Time<\/h3>\n
To control or query Ubuntu server clock and other related time settings, execute\u00a0timedatectl command<\/a>\u00a0with no argument.<\/p>\n
In order to change your server\u2019s time zone settings, first execute\u00a0timedatectl command<\/strong>\u00a0with list-timezones argument to list all available time zones and, then, set the time zone of your system as shown in the below excerpt.<\/p>\n
$ sudo timedatectl \r\n$ sudo timedatectl list-timezones \r\n$ sudo timedatectl set-timezone Europe\/Vienna\r\n<\/pre>\n
\n![\"Set](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Set-Ubuntu-Timezone.png\")
<\/a><\/p>\nSet Ubuntu Timezone<\/p>\n<\/div>\n
The new\u00a0systemd-timesyncd<\/strong>\u00a0systemd daemon client can be utilized in Ubuntu in order to provide an accurate time for your server across network and synchronize time with an upper time peer server.<\/p>\n
To apply this new feature of Systemd, modify\u00a0systemd-timesyncd<\/strong>\u00a0daemon configuration file and add the closest geographically NTP servers to NTP statement line, as shown in the below file excerpt:<\/p>\n
$ sudo nano \/etc\/systemd\/timesyncd.conf\r\n<\/pre>\n
Add following configuration to\u00a0timesyncd.conf<\/strong>\u00a0file:<\/p>\n
[Time]\r\nNTP=0.pool.ntp.org 1.pool.ntp.org\r\nFallbackNTP=ntp.ubuntu.com\r\n<\/pre>\n
\n![\"NTP](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/NTP-Configuration.png\")
<\/a><\/p>\nNTP Time Configuration<\/p>\n<\/div>\n
To add your nearest geographically NTP servers, consult the NTP pool project server list at the following address:\u00a0http:\/\/www.pool.ntp.org\/en\/<\/a><\/p>\n
Afterwards, restart the Systemd timesync daemon to reflect changes and check daemon status by running the below commands. After restart, the daemon will start to sync time with the new ntp server peer.<\/p>\n
$ sudo systemctl restart systemd-timesyncd.service \r\n$ sudo systemctl status systemd-timesyncd.service\r\n<\/pre>\n
\n![\"Start](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Start-TimeSyncd-Service.png\")
<\/a><\/p>\nStart TimeSyncd Service<\/p>\n<\/div>\n
Disable and Remove Unneeded Services in Ubuntu<\/h3>\n
In order to get a list of all TCP and UDP network services up-and-running by default in your Ubuntu server, execute the\u00a0ss<\/strong>\u00a0or\u00a0netstat command<\/a>.<\/p>\n
$ sudo netstat -tulpn\r\nOR\r\n$ sudo ss -tulpn\r\n<\/pre>\n
\n![\"List](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/List-All-Running-Services.png\")
<\/a><\/p>\nList All Running Services<\/p>\n<\/div>\n
Staring with\u00a0Ubuntu 16.10<\/strong>\u00a0release, the default DNS resolver is now controlled by\u00a0systemd-resolved<\/strong>\u00a0service, as revealed by the output of\u00a0netstat<\/strong>\u00a0or\u00a0ss commands<\/strong>.<\/p>\n
You should also check the\u00a0systemd-resolved<\/strong>\u00a0service status by running the following command.<\/p>\n
$ sudo systemctl status systemd-resolved.service\r\n<\/pre>\n
\n![\"Check](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Check-Systemd-resolved-Status.png\")
<\/a><\/p>\nCheck Systemd Resolved Status<\/p>\n<\/div>\n
The\u00a0systemd-resolved<\/strong>\u00a0service binds on all enabled network interfaces and listens on ports\u00a053<\/strong>\u00a0and\u00a05355 TCP<\/strong>and\u00a0UDP<\/strong>.<\/p>\n
Running\u00a0system-resolved<\/strong>\u00a0caching DNS daemon on a production server can be dangerous due to the numerous number of DDOS attacks performed by malicious hackers against unsecured DNS servers.<\/p>\n
In order to stop and disable this service, execute the following commands.<\/p>\n
$ sudo systemctl stop systemd-resolved\r\n$ sudo systemctl disable systemd-resolved\r\n<\/pre>\n
\n![\"Disable](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Disable-Systemd-Resolved.png\")
<\/a><\/p>\nDisable Systemd Resolved Service<\/p>\n<\/div>\n
Verify if the service has been stopped and disabled by issuing\u00a0ss<\/strong>\u00a0or\u00a0netstat command<\/strong>. The systemd-resolved listening ports, 53 and 5355 TCP and UDP, should not be listed in netstat or ss command output, as illustrated in the below.<\/p>\n
You should also reboot the machine in order to completely disable all systemd-resolved daemon services and restore the default\u00a0\/etc\/resolv.conf<\/strong>\u00a0file.<\/p>\n
$ sudo ss -tulpn\r\n$ sudo netstat -tulpn\r\n$ sudo systemctl reboot\r\n<\/pre>\n
\n![\"Verify](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/Verify-All-Running-Services.png\")
<\/a><\/p>\nVerify All Running Services<\/p>\n<\/div>\n
Although, you\u2019ve disabled some unwanted networking services to run in your server, there are also other services installed and running in your system, such as\u00a0lxc<\/strong>\u00a0process and\u00a0snapd<\/strong>\u00a0service. These services can be easily detected via\u00a0ps<\/a>,\u00a0top<\/a>\u00a0or\u00a0pstree<\/strong>\u00a0commands.<\/p>\n
$ sudo ps aux\r\n$ sudo top\r\n$ sudo pstree\r\n<\/pre>\n
\n![\"List](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/10\/List-Running-Services-in-Tree-Format.png\")
<\/a><\/p>\nList Running Services in Tree Format<\/p>\n<\/div>\n
In case you\u2019re not going to use LXC container virtualization in your server or start installing software packaged via Snap package manager, you should completely disable and remove these services, by issuing the below commands.<\/p>\n
$ sudo apt autoremove --purge lxc-common lxcfs\r\n$ sudo apt autoremove --purge snapd\r\n<\/pre>\n
That\u2019s all! Now, Ubuntu server is now prepared for installing additional software needed for custom network services or applications, such as installing and configuring a web server, a database server, a file share service or other specific applications.<\/p>\n