Initial setup for Linux servers
Since buying the first server last year, I have bought several servers up to now. Because they are exposed to the internet, some necessary configurations in terms of firewall, ssh, etc., are required for security issues. This article records how I setup a server from scratch. I generally use Debian/Ubuntu, and Debian is used as an example server in this article. Some commands may differ for other distributions, but the overall process is similar.
Register a new user
It is strongly recommended to operate Linux as a regular user, because you can do anything (e.g., mistaken operations) in root.
First of all, login VPS as root by ssh and create a user.
# add a group
addgroup admin
# add a user and create its dir.
# change [username] here to your username
useradd -d /home/usrname -s /bin/bash -m usrname
# make a password for this user
passwd usrname
# add this user to the admin group
usermod -a -G admin usrnameThen, grant individual (or group) permissions to new user.
# install sudo
apt install sudo
# edit
visudoFind root ALL=(ALL:ALL) ALL and add content as follows.
root ALL=(ALL:ALL) ALL
# under there
usrname ALL=(ALL:ALL) ALLIf you want to use sudo without password, edit /etc/sudoers as follows.
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
# under there
usrname ALL=(ALL) NOPASSWD:ALLNow, you can login with this new user to see if it works.
SSH configuration
Password-less login for ssh.
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]In particular, if this VPS was logged before and its system is reinstalled, the previous records need to be removed first, as follows.
ssh-keygen -R 123.456.789
# or, with a specific port 22222
ssh-keygen -R "[123.456.789]:22222"Then, make some ssh setting.
# login
ssh [email protected]
# backup
sudo cp /etc/ssh/sshd_config ~
# edit sshd_config
sudo vim /etc/ssh/sshd_configIt is recommended to modify the following parameters. Delete the # in front of the parameter to uncomment a line. A description of these parameters and the reasons for setting them can be found in the Appendix section at the end of this article.
Port 12345
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
PubkeyAuthentication yes
UseDNS no
SyslogFacility AUTHPRIV
Protocol 2
PubkeyAcceptedKeyTypes=+ssh-rsaNote that PasswordAuthentication no means the server does not support password authentication and you have to connect it by password-less login. Make sure that you have uploaded your public key to this server before setting this parameter as no.
Then, change the permissions and restart ssh.
sudo chmod 600 ~/.ssh/authorized_keys && chmod 700 ~/.ssh/
sudo service ssh restartSet locale
Add following content to ~/.profile.
export LANGUAGE=en_US.UTF-8
export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_CTYPE=en_US.UTF-8Then
source ~/.profile
sudo locale-gen en_US en_US.UTF-8 en_CA.UTF-8
sudo dpkg-reconfigure localesUpdate and Reboot
Update and reboot the server after configuration.
# update
sudo apt update
sudo apt upgrade -y
# reboot
sudo rebootFirewall configuration (UFW)
I generally use ufw to manage the server's firewall.
Install ufw if command not found.
sudo apt install ufwEnable ufw.
sudo ufw enableOpen ports.
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow [SSH_PORT]Set firewall to deny access by default. Make sure that the ssh port you set before has been opened.
sudo ufw default denyDisable a port.
sudo ufw delete allow 80List the opened ports.
sudo ufw statusSome apps (self-use)
sudo apt install net-tools build-essential vim neofetch lolcat curl git vnstat nload zip unzipAppendix: Description of SSH Parameter Settings
This section provides a brief description of the SSH parameter settings mentioned in the article.
| Name and value | Description |
|---|---|
| Port 12345 | Changes the listening port for the SSH service to 12345 instead of the default port 22, increasing security against automated attacks. |
| PermitRootLogin no | Disallows SSH login as the root user, improving security by preventing potential attackers from gaining full system access after cracking the password. |
| PermitEmptyPasswords no | Prohibits SSH login with empty passwords, enhancing security by preventing abuse of accounts without a configured password. |
| PasswordAuthentication no (Optional) | Disables SSH login using passwords, requiring users to authenticate with a public/private key pair, which is more secure due to the increased difficulty in cracking key pairs. |
| PubkeyAuthentication yes | Allows SSH login using public/private key pairs, offering a more secure authentication method that doesn't rely on easily crackable passwords. |
| UseDNS no | Disables reverse DNS lookup for client IP addresses in the SSH service, reducing connection latency and avoiding connection issues due to failed DNS queries. |
| SyslogFacility AUTHPRIV | Directs SSH service logs to the AUTHPRIV syslog facility, which typically handles security-related information that requires privacy protection, ensuring log files are accessible only to specific users like system administrators. |
| Protocol 2 | Specifies the exclusive use of SSH protocol version 2, which is more secure than the vulnerable version 1, ensuring a safer connection. |
| PubkeyAcceptedKeyTypes=+ssh-rsa | Defines the allowed public key types, with +ssh-rsa indicating the acceptance of RSA type public keys in addition to default key types, ensuring compatibility with a wider range of clients by supporting the widely used RSA asymmetric encryption algorithm. |