Ubuntu 20.04 Server - First Steps¶
I am going to assume that a domain name has already been purchased. If not then it's probably best to get that sorted before continuing. Many registrars offer discounts for the first year and can be purchased for a couple of pounds. I personally use Namecheap to buy my domains.
Partitioning¶
Partitioning is often down to personal taste. I personally create separate partitions for /, /home, /var, /var/log, and /boot
Connect and Update¶
Connect to the new server via SSH
ssh root@<Server IP Address>
Update the repositories and install any available updates
apt update && apt upgrade
Securing Partitions¶
Mount /tmp on tmpfs and secure, then bind /var/tmp to /tmp:
nano /etc/fstab
tmpfs /tmp tmpfs rw,size=2G,nr_inodes=100k,noexec,nodev,nosuid,relatime 0 0
/tmp /var/tmp none bind 0 0
Also ensure that the nodev option is set for the /home entry, and the noexec,nosuid,nodev options are set for shared memory /dev/shm
/dev/vg0/home /home ext4 defaults,nodev 0 0
none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0
Mount the additional entries:
mount -a
Basic SSH Security¶
Next, before we can disable ssh access for the root user for security reasons, we need to create a normal user to perform all of our work via ssh instead. We then add this user to the sudo group so that he is able to temporarily elevate himself to run commands as root.
adduser ronald
usermod -aG sudo ronald
We can change ssh port from the default listening port of 22, to something a little more obscure. In this example, we'll use port 432.
nano /etc/ssh/sshd_config
Find the port line and change port number as shown
Port 432
and restart ssh
systemctl restart ssh
Reconnect with the new user (in this example, ronald) by specifying the new port:
ssh -p 432 ronald@<Server IP Address>
If the server is also going to be using IPv6 then check that it’s enabled in the ufw config file:
sudo nano /etc/default/ufw
If you see the line:
IPV6=no
then change to
IPV6=yes
The official Ubuntu documentation on SSH can be found at https://help.ubuntu.com/community/SSH
UFW Firewall Rules¶
Now we’ll use the ufw command to add some firewall rules. We'll be swapping to Iptables later but for now it's quicker to set up some initial security using UFW so you're protected until you get that far. UFW is short for Uncomplicated Firewall and is a simple interface that allows easy configuration of the more complicated Iptables that sits behind it. More information can be found on the Ubuntu site here: https://help.ubuntu.com/community/UFW
We'll firstly set default incoming and outgoing rules:
sudo ufw default deny incoming && sudo ufw default allow outgoing
and then configure it to allow in connections to the SSH port we specified earlier:
sudo ufw allow in 432/tcp
and then restart ufw to apply the new config:
sudo ufw disable && sudo ufw enable
Check Time Zone and Synchronize System¶
Check your current timezone with the simple command:
date
If your timezone is incorrect, run the following to correct:
sudo dpkg-reconfigure tzdata
It’s recommended your system read RTC time in UTC standard to prevent unexpected behavior. To do this, run the following command:
sudo timedatectl set-local-rtc 0
To use NTP to synchronise your system clock with an NTP server, first allow incoming and outgoing UDP traffic on your firewall on port 123, then run the following command:
sudo timedatectl set-ntp true
Check the status with:
sudo systemctl status systemd-timesyncd
Hostname and FQDN¶
Finally, before we move on, we’ll set the hostname and the FQDN. I had to make an additional change here as my VPS is supplied by OVH. The details are set by an auto config script, and if changed then they will be overwritten again the next time the server reboots. This next step only applies to an OVH VPS:
sudo nano /etc/cloud/cloud.cfg
Make sure the following values are set:
preserve_hostname: true
manage_etc_hosts: false
Continue from here if not with OVH, although it’s worth checking the documentation from your supplier if using a cloud VPS.
We change the hostname here:
sudo nano /etc/hostname
In this example, we’ll call it websrv1
websrv1
We change the FQDN here:
sudo nano /etc/hosts
It should look something like the below, so edit accordingly. In this example, the website will be located at example.com. Change this to your own domain, and substitute *public_ip* with the IP address of your server
127.0.1.1 websrv1.example.com websrv1
*public_ip* websrv1.example.com websrv1
127.0.0.1 localhost
Finally, reboot…
sudo reboot
and check your hostname
sudo hostname -f
DNS¶
Now that we have the hostname set up, we can set up the DNS for our main domain with whichever registrar you use. I personally use Cloudflare to manage my DNS settings. Some registrars have more limited settings within their advanced DNS control panel. If you want to use Cloudflare to manage your DNS then create an account with them and add a site. It will then give you instructions on how to change the settings with your registrar to allow Cloudflare to manage the DNS. Basically it involves changing the nameservers within your registrars control panel so that they point to the custom nameservers that Cloudflare have instructed you to use.
Once you've set this up, create an A record for example.com pointing to your public IPv4 address, and an AAAA record pointing to your public IPv6 address. Do the same again for the FQDN hostname.example.com
If using Cloudflare then each DNS record will have a cloud symbol to the right hand side. This represents Cloudflares caching service. Make sure the service is switched off by clicking the cloud. An orange cloud means that caching is on. A white cloud is off.
Static IP or DynDNS¶
A static IP works best but with many ISP's, this isn't possible. It's worth asking though. My own ISP gave me a static IP address for a one-off fee of £5.
If it's not possible to obtain a static IP address then it's possible to instead set up a dynamic DNS service instead. I personally use ChangeIP (https://www.changeip.com) to do this. How it works is you have a custom domain with your DynDNS service eg example.dyndns.com. You then have a client on your machine that constantly updates the service with your current IP address. Therefore the domain example.dyndns.com should always resolve to your current IP address. I personally have a static IP at home and at work, and use a DynDNS client on my Android phone.
With this in place, it allows you to secure your system further. You could change your firewall to only allow SSH connections in from those addresses, or you could change a web servers configuration to only allow those addresses to access a web applications admin page.