Administration

Initial Server Setup with Ubuntu 22.04

infernalx

5 min read
Share
Initial Server Setup with Ubuntu 22.04

When you first create a new Ubuntu 22.04 server, you should perform some important configuration steps as part of the initial setup. These steps will increase the security and usability of your server, and will give you a solid foundation for subsequent actions.

Logging in as root

If you are not connected to your server currently, log in as the root user using the following command:

ssh root@your_server_ip

About root

The root user is the administrative user in a Linux environment with elevated privileges. Because of the heightened privileges of the root account, you are discouraged from using it regularly. The root account can make very destructive changes, even by accident.

Creating a New User

Once you log in as root, you’ll be able to add the new user account. In the future, we’ll log in with this new account instead of root.

This example creates a new user called tommy, but you should replace that with a username that you like:

adduser tommy

You will be asked a few questions, starting with the account password.

Enter a strong password and, optionally, fill in any of the additional information if you would like. This information is not required, and you can press ENTER in any field you wish to skip.

Granting Administrative Privileges

To add these privileges to your new user, you will need to add the user to the sudo system group. As root, run this command to add your new user to the sudo group:

usermod -aG sudo tommy

Add user to sudo group

You can now type sudo before commands to run them with superuser privileges when logged in as your regular user.

Add Public Key Authentication

Setting this up will increase the security of your server by requiring a private SSH key to log in.

Generate a Key Pair

To generate a new key pair, enter the following command at the terminal:

ssh-keygen

Next, you will be prompted for a passphrase to secure the key with. You may either enter a passphrase or leave the passphrase blank.

💡
If you leave the passphrase blank, you will be able to use the private key for authentication without entering a passphrase. If you enter a passphrase, you will need both the private key and the passphrase to log in. Securing your keys with passphrases is more secure, but both methods have their uses and are more secure than basic password authentication.

This generates a private key, id_rsa, and a public key, id_rsa.pub, in the .ssh directory of the user's home directory. Remember that the private key should not be shared with anyone who should not have access to your servers!

Installing the Key

Use the following command at the terminal of your local machine to print your public key (id_rsa.pub):

cat ~/.ssh/id_rsa.pub

Select the public key, and copy it to your clipboard.

On the server, as the root user, enter the following command to temporarily switch to the new user (substitute your own user name):

su - tommy

Now you will be in your new user’s home directory.

Create a new directory called .ssh and restrict its permissions with the following commands:

mkdir ~/.ssh
chmod 700 ~/.ssh

Now open a file in .ssh called authorized_keys with a text editor. We will use nano to edit the file:

nano ~/.ssh/authorized_keys

Now insert your public key (which should be in your clipboard) by pasting it into the editor.

Hit CTRL-x to exit the file, then y to save the changes that you made, then ENTER to confirm the file name.

Now restrict the permissions of the authorized_keys file with this command:

chmod 600 ~/.ssh/authorized_keys

Type this command once to return to the root user:

exit

Now your public key is installed, and you can use SSH keys to log in as your user.

Now that your new user can use SSH keys to log in, you can increase your server’s security by disabling password-only authentication. Doing so will restrict SSH access to your server to public key authentication only.

🚨
Only disable password authentication if you installed a public key to your user as recommended in the previous section. Otherwise, you will lock yourself out of your server!

To disable password authentication on your server, follow these steps.

As root or your new sudo user:

sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf

Change the line PasswordAuthentication yes to:

PasswordAuthentication no

50-cloud-init.conf — Disable password authentication

When you are finished making your changes, save and close the file using the method we went over earlier (CTRL-X, then Y, then ENTER).

For older versions of ubuntu this setting will be located in /etc/ssh/sshd_config

Open the SSH daemon configuration:

sudo nano /etc/ssh/sshd_config

SSH daemon configuration

Here are settings that are important for key-only authentication:

PermitRootLogin no
PubkeyAuthentication yes
ChallengeResponseAuthentication no

/etc/ssh/sshd_config

By configuring these settings as described, you are disabling root login, enabling public key authentication, and disabling challenge-response authentication, which helps enhance the security of your SSH server

Reload the SSH daemon:

sudo systemctl reload sshd

Password authentication is now disabled. Your server is now only accessible with SSH key authentication.

Test Login

Now, before you log out of the server, you should test your new configuration. Do not disconnect until you confirm that you can successfully log in via SSH.

In a new terminal, log in to your server using the new account:

ssh tommy@your_server_ip

Login as user sammy

If you added public key authentication to your user, your private key will be used as authentication. Otherwise, you will be prompted for your user’s password.

🚀
If you created your key pair with a passphrase, you will be prompted to enter the passphrase for your key. Otherwise, if your key pair is passphrase-less, you should be logged in to your server without a password.

Once authentication is provided to the server, you will be logged in as your new user.

Setting Up a Firewall

Ubuntu servers can use the UFW firewall to ensure only connections to certain services are allowed. You can set up a basic firewall using this application.

Applications can register their profiles with UFW upon installation. These profiles allow UFW to manage these applications by name. OpenSSH, the service that allows you to connect to your server, has a profile registered with UFW.

You can examine the list of installed UFW profiles by typing:

ufw app list

You will need to make sure that the firewall allows SSH connections so that you can log into your server next time. Allow these connections by typing:

ufw allow OpenSSH

Now enable the firewall:

ufw enable

Type y and press ENTER to proceed. You can see that SSH connections are still allowed by typing:

ufw status

The firewall is currently blocking all connections except for SSH. If you install and configure additional services, you will need to adjust the firewall settings to allow the new traffic into your server.