Ubuntu-Server-16.04

Basic Setup of Ubuntu Server 16.04

This article covers a few basic configurations recommended for a newly installed public facing Ubuntu Server. You are advised to undertake these steps as soon as possible. In order to execute the steps, first login to your system as root. If your server is at a remote location, use SSH to access your server. Just open a terminal on your PC and login through the following command (replace your_server_ip with your real IPv4 Address).

[code language=”bash”] ssh [email protected]_server_ip [/code]

The root user on a Linux system has very extensive privileges. Given so, it is advisable not to use the root user account on a regular basis as an inadvertent error in a command can lead to catastrophic results. A rather simplified approach is to use the system as a normal user and escalate privileges on a need basis.

Using GNU Screen for Terminal Multiplexing

Note: You may skip this section if you desire.

A remote connection can be interrupted due to many reasons including network outrage. In such a scenario, there is high probability of losing SSH access in the middle of a job. This may terminate the session and the ongoing job while the system in an unpredictable state. The GNU screen can come to rescue in such a situation. In brief, GNU Screen is a full-screen window manager that multiplexes a physical terminal between several processes, typically interactive shells. It comes pre-installed on Ubuntu Server 16.04. To use screen just type “screen” in a shell/terminal and hit “enter”.

[code language=”bash”] screen [/code]

It will display a long message. Just hit “enter”. You are in a screen terminal now. To verify type “Ctrl+a” followed by “v”. You should see an output similar like “screen 4.03.01 (GNU) 28-Jun-15″.

[code language=”bash”] Ctrl-a v [/code]

[code language=”bash”] screen 4.03.01 (GNU) 28-Jun-15 [/code]

Open a new window within the screen by typing “Ctrl+a” followed by “c”.

[code language=”bash”] Ctrl-a c [/code]

You have opened a new window within the screen. Now run “top” in this window.

[code language=”bash”] top [/code]

To go back to the previous window press “Ctrl+a” followed by “p”.

[code language=”bash”] Ctrl-a p [/code]

Similarly to go to the next window press “n” instead of “p”.

[code language=”bash”] Ctrl-a n [/code]

Close the shell. Now open a new shell and connect to your server and type “screen -r”.

[code language=”bash”] screen -r [/code]

You should be taken back to where you left off. If, instead, you see a message similar to the following then the screen has not detached.

[code language=”bash”]
There is a screen on:
1710.pts-0.ip-172-31-28-182 (02/04/18 16:59:55) (Attached)
There is no screen to be resumed.
[/code]

You can reattach the screen by the following command.

[code language=”bash”] screen -x [/code]

You can also detach a screen manually by the following command.

[code language=”bash”] Ctrl-a d [/code]

[code language=”bash”] [detached from 1604.pts-0.ip-172-31-28-182] [/code]

The current screen will be detached and sent to the background. Now attach/resume the screen by typing “screen -r”.

[code language=”bash”] screen -r [/code]

You can refer to the manual of screen for more command details.

[code language=”bash”] man screen [/code]

Creating a New User

While you are logged in as root (if the prompt on the shell is “#” then you are logged in as root else if the prompt is “$” then you are logged in as a non-root user), type the following command (replace saumyakswain with your desired name).

[code language=”bash”]
adduser saumyakswain
[/code]

Provide a strong password and repeat the same when asked. Additionally, you may choose to answer the other questions or you may leave them blank and just press the return (or enter) key.

Root Privileges for the New User

Instead of changing between the root and normal user for administrative and normal tasks, we can give the new user superuser privileges. This way the normal user can perform administrative tasks by adding the command “sudo” the beginning of any command. We can give superuser privileges to a normal user by adding it to the “sudo” group. You can add a user to the sudo group by the following command.

[code language=”bash”]
usermod -aG sudo saumyakswain
[/code]

Public Key Authentication

Logging in remotely using passwords is not a safe practice considering the fact that thousands of bots will be trying to brute force into your system. A more secure option is to use Public Key instead of passwords.

If you have not used public key earlier, you need to generate a key pair on your local system (PC) which can be used to authenticate remote servers. If you already have a public key, skip ahead the key generation step. To generate a ssh key pair, open a new terminal (shell) and enter the following command.

[code language=”bash”]
ssh-keygen
[/code]

Accept the default location of the key file. Next you will be asked for a pass-phrase to secure the key you may leave the pass-phrase blank and hit return.

The command will generate a key-pair – id_rsa the private key and id_rsa.pub – in the .ssh directory of the current user (local). DO NOT share the private key with any one.

In order to use the keys, we need to copy the public component of the key-pair to the sever(s) which we want to login through public key. The easy way to accomplish this is to use the “ssh-copy-id” command. But please be informed that the ssh-copy-id command relies on password authentication for copying the key and hence it will not work if password authentication is disabled. You may temporarily allow password authentication and use ssh-copy-id or use the alternative method of copying the key manually.

Using ssh-copy-id to Copy the Public Key

Type the following command on a terminal replacing the user name and IP address with appropriate values.

[code language=”bash”]
ssh-copy-id [email protected]_server_ip
[/code]

You will be prompted for the password of the user. Provide the password you entered while creating the new user and not the root password. Note: You can omit the username and simply type “ssh-copy-id your_server_ip” if the username on the local system and the remote server are the same.

Manually Copying the Public Key

If you don’t want to enable password authentication then you can copy it manually. To display your public key, type the following command on your local system.

[code language=”bash”]
cat ~/.ssh/id_rsa.pub
[/code]

 

This will output something like the following

[code language=”bash”]
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+U6uomKAd0lgP1g/pj6q44w599N8b9kVjdc1W5WDp0ciujFvIoe/ZwdyZVft2LnsWnPPypD0JsgZ7pe68kVyE3+NNOrfT6g6FImgKAZ585q/5OqRbCs8CiDjFaKPDk9bpy7Fl6IMnBNIde7dnw81LPtYr7k1CX6jgIYGu7yjGgWCLysEVTeON+x0JCqxFkMhjtcJFCMyjq5Mgjqm2JN/FoXgNiXrc3GQ08LfKpjKNpxPpJVoEgI/+AGk6yrGw4l4pQcRQQFh9yRJFslIBDp7ZOt02XB9jbMhgRwm8yAETwVYz18pI/c8PWtf++//84vHE5IY+uwiZF28GB5npaqHv [email protected]
[/code]

Copy the content. On the server, type the following as root.

[code language=”bash”]
su – saumyakswain
[/code]

This will log you in as the non-root user (the new user) which you want to login through public key. Once logged in, create a .ssh directory in the new user’s home and restrict its permissions.

[code language=”bash”]
mkdir ~/.ssh
chmod 700 ~/.ssh
[/code]

Create a file named authorized_keys using your favourite text editor in the .ssh directory.

[code language=”bash”]
nano ~/.ssh/authorized_keys
[/code]

Paste the contents of the public key which you copied form your local system into this file. Press “Ctrl+x” to exit. Press “y” when prompted to same. Now restrict access to this file by the following command.

[code language=”bash”]
chmod 700 ~/.ssh/authorized_keys
[/code]

Return to the root user by pressing Ctrl+d or the following command.

[code language=”bash”] exit [/code]

Disable Password Authentication

Now that we have configured public key authentication, it’s a good idea to disable password based authentication. As root, edit the sshd configuration file.

[code language=”bash”] sudo nano /etc/ssh/sshd_config [/code]

Find the line with “PasswordAuthentication”. Change it’s value to “no”.

[code language=””] PasswordAuthentication no [/code]

Exit the editor by pressing Ctrl+x. Press “y” to save.

Reload the configuration of the ssh daemon for the changes to take effect.

[code language=”bash”] systemctl reload ssh.service [/code]

Try logging in as the new user from a new terminal.

[code language=”bash”] ssh [email protected]_server_ip [/code]

Type a command with sudo.

[code language=”bash”] sudo tail /var/log/auth.log [/code]

Setup a Basic Firewall

A firewall restricts or allows a connection into or out of a server based on rules. UFW or Uncomplicated Firewall is one such utility which comes installed on Ubuntu Server 16.04. Different applications register their profiles with UFW during installation. We can activate these profiles to allow the application to communicate. To view the available application profiles, as non-root user type:

[code language=”bash”] sudo ufw app list [/code]

This should display OpenSSH as an output. Allow communication for OpenSSH by the following command.

[code language=”bash”] sudo ufw allow OpenSSH [/code]

Now enable ufw.

[code language=”bash”] sudo ufw enable [/code</pre>
Type "y" and press Enter. Check status of ufw by typing:
<pre>[code language="bash"] sudo ufw status [/code]

When you install more applications like Nginx or Postfix, they will register their profile with ufw. You will need to allow their profiles through ufw before using them.

1 thought on “Basic Setup of Ubuntu Server 16.04

  1. Pingback: How to Install Nginx, MariaDB and PHP (LEMP) on Ubuntu 16.04 - DigiKite | Blog

Leave a Reply

Your email address will not be published. Required fields are marked *