Setting Up A New Linux Server Securely

By Diwanshu Shekhar

- 2 minutes read - 361 words

So you have a new server either on premise or a virtual server from companies like Linode or Rackspace. What do you do next? How do you do the initial set-ups like making new users, and keeping it secured from malicious attacks among others. Here are some of the steps that I follow pretty much every time (Note: this tutorial is based on Ubuntu Server which will apply more or less to any Linux based server)

  • SSH into your server as root. You will need a root password to do this. Always remember your root password. Once you are logged in, follow the next steps. If you are setting up a Linux server in your hardware, SSH may not be installed. To set up SSH, install openssh-server and openssh-client using apt-get, yum or apk whichever package management client is appropriate for your server. In Ubuntu, it is apt-get openssh-server openssh-client. You can check if the SSH running by using this command:

    service --status-all

  • Ensure the system packages cache is up to date

    apt-get update

  • Upgrade all out-of date packages

    apt-get upgrade

  • Install fail2ban. It is a security package logs unsuccessful logins and prevents brute force login attempts

    apt-get install fail2ban

  • Modify the SSH configuration so the root user account cannot be directly logged into. Edit the file /etc/ssh/sshd_config as follows:

    PasswordAuthentication no
UsePAM no
PermitRootLogin no

  • Create a non-root user and a non-root group

    useradd -m user_name
Set the password for the user
passwd user_name

  • Give sudo rights to the user by editing /etc/group file as follows -

    sudo:x:27:user_name

  • Now we need to setup password-less ssh capability for the user we just created. Go to the home directory of the user you just created and make a directory named .ssh and paste the public key in the file vim .ssh/authorized_keys you created in your local machine from which you are planning on ssh’ing to your server

  • Restart ssh and try to login as this new user from another terminal from your local machine

    service ssh reload
ssh user_name@server-ip-address

    Note: if your private key is not in id_rsa file then you have to explicitly point it as follows:

    ssh -i .ssh/privatekey_file user_name@server-ip-address