Skip to content

Ubuntu 20.04 Server - First Steps

I am going to assume that a domain name has already been purchased. If not then it's probably best to get that sorted before continuing. Many registrars offer discounts for the first year and can be purchased for a couple of pounds. I personally use Namecheap to buy my domains.


Partitioning is often down to personal taste. I personally create separate partitions for /, /home, /var, /var/log, and /boot

Connect and Update

Connect to the new server via SSH

ssh root@<Server IP Address>

Update the repositories and install any available updates

apt update && apt upgrade

Securing Partitions

Mount /tmp on tmpfs and secure, then bind /var/tmp to /tmp:

nano /etc/fstab
tmpfs /tmp tmpfs rw,size=2G,nr_inodes=100k,noexec,nodev,nosuid,relatime 0 0  
/tmp /var/tmp none bind 0 0

Also ensure that the nodev option is set for the /home entry, and the noexec,nosuid,nodev options are set for shared memory /dev/shm

/dev/vg0/home  /home  ext4  defaults,nodev 0 0
none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0

Mount the additional entries:

mount -a

Basic SSH Security

Next, before we can disable ssh access for the root user for security reasons, we need to create a normal user to perform all of our work via ssh instead. We then add this user to the sudo group so that he is able to temporarily elevate himself to run commands as root.

adduser ronald
usermod -aG sudo ronald

We can change ssh port from the default listening port of 22, to something a little more obscure. In this example, we'll use port 432.

nano /etc/ssh/sshd_config

Find the port line and change port number as shown

Port 432

and restart ssh

systemctl restart ssh

Reconnect with the new user (in this example, ronald) by specifying the new port:

ssh -p 432 ronald@<Server IP Address>

If the server is also going to be using IPv6 then check that it’s enabled in the ufw config file:

sudo nano /etc/default/ufw

If you see the line:


then change to


The official Ubuntu documentation on SSH can be found at

UFW Firewall Rules

Now we’ll use the ufw command to add some firewall rules. We'll be swapping to Iptables later but for now it's quicker to set up some initial security using UFW so you're protected until you get that far. UFW is short for Uncomplicated Firewall and is a simple interface that allows easy configuration of the more complicated Iptables that sits behind it. More information can be found on the Ubuntu site here:

We'll firstly set default incoming and outgoing rules:

sudo ufw default deny incoming && sudo ufw default allow outgoing

and then configure it to allow in connections to the SSH port we specified earlier:

sudo ufw allow in 432/tcp

and then restart ufw to apply the new config:

sudo ufw disable && sudo ufw enable

Check Time Zone and Synchronize System

Check your current timezone with the simple command:


If your timezone is incorrect, run the following to correct:

sudo dpkg-reconfigure tzdata

It’s recommended your system read RTC time in UTC standard to prevent unexpected behavior. To do this, run the following command:

sudo timedatectl set-local-rtc 0

To use NTP to synchronise your system clock with an NTP server, first allow incoming and outgoing UDP traffic on your firewall on port 123, then run the following command:

sudo timedatectl set-ntp true

Check the status with:

sudo systemctl status systemd-timesyncd

Hostname and FQDN

Finally, before we move on, we’ll set the hostname and the FQDN. I had to make an additional change here as my VPS is supplied by OVH. The details are set by an auto config script, and if changed then they will be overwritten again the next time the server reboots. This next step only applies to an OVH VPS:

sudo nano /etc/cloud/cloud.cfg

Make sure the following values are set:

preserve_hostname: true
manage_etc_hosts: false

Continue from here if not with OVH, although it’s worth checking the documentation from your supplier if using a cloud VPS.

We change the hostname here:

sudo nano /etc/hostname

In this example, we’ll call it websrv1


We change the FQDN here:

sudo nano /etc/hosts

It should look something like the below, so edit accordingly. In this example, the website will be located at Change this to your own domain, and substitute *public_ip* with the IP address of your server   websrv1
*public_ip*   websrv1       localhost

Finally, reboot…

sudo reboot

and check your hostname

sudo hostname -f


Now that we have the hostname set up, we can set up the DNS for our main domain with whichever registrar you use. I personally use Cloudflare to manage my DNS settings. Some registrars have more limited settings within their advanced DNS control panel. If you want to use Cloudflare to manage your DNS then create an account with them and add a site. It will then give you instructions on how to change the settings with your registrar to allow Cloudflare to manage the DNS. Basically it involves changing the nameservers within your registrars control panel so that they point to the custom nameservers that Cloudflare have instructed you to use.

Once you've set this up, create an A record for pointing to your public IPv4 address, and an AAAA record pointing to your public IPv6 address. Do the same again for the FQDN

If using Cloudflare then each DNS record will have a cloud symbol to the right hand side. This represents Cloudflares caching service. Make sure the service is switched off by clicking the cloud. An orange cloud means that caching is on. A white cloud is off.

Static IP or DynDNS

A static IP works best but with many ISP's, this isn't possible. It's worth asking though. My own ISP gave me a static IP address for a one-off fee of £5.

If it's not possible to obtain a static IP address then it's possible to instead set up a dynamic DNS service instead. I personally use ChangeIP ( to do this. How it works is you have a custom domain with your DynDNS service eg You then have a client on your machine that constantly updates the service with your current IP address. Therefore the domain should always resolve to your current IP address. I personally have a static IP at home and at work, and use a DynDNS client on my Android phone.

With this in place, it allows you to secure your system further. You could change your firewall to only allow SSH connections in from those addresses, or you could change a web servers configuration to only allow those addresses to access a web applications admin page.