This article covers a few basic configurations recommended for a newly installed public facing Ubuntu Server. You are advised to undertake these steps as soon as possible. In order to execute the steps, first login to your system as root. If your server is at a remote location, use SSH to access your server. Just open a terminal on your PC and login through the following command (replace your_server_ip with your real IPv4 Address).
The root user on a Linux system has very extensive privileges. Given so, it is advisable not to use the root user account on a regular basis as an inadvertent error in a command can lead to catastrophic results. A rather simplified approach is to use the system as a normal user and escalate privileges on a need basis.
Using GNU Screen for Terminal Multiplexing
Note: You may skip this section if you desire.
A remote connection can be interrupted due to many reasons including network outrage. In such a scenario, there is high probability of losing SSH access in the middle of a job. This may terminate the session and the ongoing job while the system in an unpredictable state. The GNU screen can come to rescue in such a situation. In brief, GNU Screen is a full-screen window manager that multiplexes a physical terminal between several processes, typically interactive shells. It comes pre-installed on Ubuntu Server 16.04. To use screen just type “screen” in a shell/terminal and hit “enter”.
It will display a long message. Just hit “enter”. You are in a screen terminal now. To verify type “Ctrl+a” followed by “v”. You should see an output similar like “screen 4.03.01 (GNU) 28-Jun-15”.
screen 4.03.01 (GNU) 28-Jun-15
Open a new window within the screen by typing “Ctrl+a” followed by “c”.
You have opened a new window within the screen. Now run “top” in this window.
To go back to the previous window press “Ctrl+a” followed by “p”.
Similarly to go to the next window press “n” instead of “p”.
Close the shell. Now open a new shell and connect to your server and type “screen -r”.
You should be taken back to where you left off. If, instead, you see a message similar to the following then the screen has not detached.
There is a screen on: 1710.pts-0.ip-172-31-28-182 (02/04/18 16:59:55) (Attached) There is no screen to be resumed.
You can reattach the screen by the following command.
You can also detach a screen manually by the following command.
[detached from 1604.pts-0.ip-172-31-28-182]
The current screen will be detached and sent to the background. Now attach/resume the screen by typing “screen -r”.
You can refer to the manual of screen for more command details.
Creating a New User
While you are logged in as root (if the prompt on the shell is “#” then you are logged in as root else if the prompt is “$” then you are logged in as a non-root user), type the following command (replace saumyakswain with your desired name).
Provide a strong password and repeat the same when asked. Additionally, you may choose to answer the other questions or you may leave them blank and just press the return (or enter) key.
Root Privileges for the New User
Instead of changing between the root and normal user for administrative and normal tasks, we can give the new user superuser privileges. This way the normal user can perform administrative tasks by adding the command “sudo” the beginning of any command. We can give superuser privileges to a normal user by adding it to the “sudo” group. You can add a user to the sudo group by the following command.
usermod -aG sudo saumyakswain
Public Key Authentication
Logging in remotely using passwords is not a safe practice considering the fact that thousands of bots will be trying to brute force into your system. A more secure option is to use Public Key instead of passwords.
If you have not used public key earlier, you need to generate a key pair on your local system (PC) which can be used to authenticate remote servers. If you already have a public key, skip ahead the key generation step. To generate a ssh key pair, open a new terminal (shell) and enter the following command.
Accept the default location of the key file. Next you will be asked for a pass-phrase to secure the key you may leave the pass-phrase blank and hit return.
The command will generate a key-pair – id_rsa the private key and id_rsa.pub – in the .ssh directory of the current user (local). DO NOT share the private key with any one.
In order to use the keys, we need to copy the public component of the key-pair to the sever(s) which we want to login through public key. The easy way to accomplish this is to use the “ssh-copy-id” command. But please be informed that the ssh-copy-id command relies on password authentication for copying the key and hence it will not work if password authentication is disabled. You may temporarily allow password authentication and use ssh-copy-id or use the alternative method of copying the key manually.
Using ssh-copy-id to Copy the Public Key
Type the following command on a terminal replacing the user name and IP address with appropriate values.
You will be prompted for the password of the user. Provide the password you entered while creating the new user and not the root password. Note: You can omit the username and simply type “ssh-copy-id your_server_ip” if the username on the local system and the remote server are the same.
Manually Copying the Public Key
If you don’t want to enable password authentication then you can copy it manually. To display your public key, type the following command on your local system.
This will output something like the following
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+U6uomKAd0lgP1g/pj6q44w599N8b9kVjdc1W5WDp0ciujFvIoe/ZwdyZVft2LnsWnPPypD0JsgZ7pe68kVyE3+NNOrfT6g6FImgKAZ585q/5OqRbCs8CiDjFaKPDk9bpy7Fl6IMnBNIde7dnw81LPtYr7k1CX6jgIYGu7yjGgWCLysEVTeON+x0JCqxFkMhjtcJFCMyjq5Mgjqm2JN/FoXgNiXrc3GQ08LfKpjKNpxPpJVoEgI/+AGk6yrGw4l4pQcRQQFh9yRJFslIBDp7ZOt02XB9jbMhgRwm8yAETwVYz18pI/c8PWtf++//84vHE5IY+uwiZF28GB5npaqHv saumyakswain@saumyakswain-Compaq-15-Notebook-PC
Copy the content. On the server, type the following as root.
su - saumyakswain
This will log you in as the non-root user (the new user) which you want to login through public key. Once logged in, create a .ssh directory in the new user’s home and restrict its permissions.
mkdir ~/.ssh chmod 700 ~/.ssh
Create a file named authorized_keys using your favourite text editor in the .ssh directory.
Paste the contents of the public key which you copied form your local system into this file. Press “Ctrl+x” to exit. Press “y” when prompted to same. Now restrict access to this file by the following command.
chmod 700 ~/.ssh/authorized_keys
Return to the root user by pressing Ctrl+d or the following command.
Disable Password Authentication
Now that we have configured public key authentication, it’s a good idea to disable password based authentication. As root, edit the sshd configuration file.
sudo nano /etc/ssh/sshd_config
Find the line with “PasswordAuthentication”. Change it’s value to “no”.
Exit the editor by pressing Ctrl+x. Press “y” to save.
Reload the configuration of the ssh daemon for the changes to take effect.
systemctl reload ssh.service
Try logging in as the new user from a new terminal.
Type a command with sudo.
sudo tail /var/log/auth.log
Setup a Basic Firewall
A firewall restricts or allows a connection into or out of a server based on rules. UFW or Uncomplicated Firewall is one such utility which comes installed on Ubuntu Server 16.04. Different applications register their profiles with UFW during installation. We can activate these profiles to allow the application to communicate. To view the available application profiles, as non-root user type:
sudo ufw app list
This should display OpenSSH as an output. Allow communication for OpenSSH by the following command.
sudo ufw allow OpenSSH
Now enable ufw.
sudo ufw enable [/code&amp;amp;amp;amp;amp;lt;/pre&amp;amp;amp;amp;amp;gt; Type "y" and press Enter. Check status of ufw by typing: &amp;amp;amp;amp;amp;lt;pre&amp;amp;amp;amp;amp;gt; sudo ufw status
When you install more applications like Nginx or Postfix, they will register their profile with ufw. You will need to allow their profiles through ufw before using them.